Commit 9f6187ab authored by Jérome Perrin's avatar Jérome Perrin

web_renderjs_ui: XXX allow 'unsafe-eval' in script-src XXX

This is for a prototype of integrating https://github.com/rjsf-team/react-jsonschema-form/
which uses ajv which needs such as CSP, see
https://github.com/ajv-validator/ajv/blob/1b07663f3954b48892c7210196f7c6ba08000091/docs/security.md#content-security-policy
for more details

It is probably possible to serve that gadget from an "unsafe" websection
instead of making everything unsafe. If we go this way it seems some inline
styles are sometimes set as well.
parent 863460fb
...@@ -357,7 +357,7 @@ ...@@ -357,7 +357,7 @@
</item> </item>
<item> <item>
<key> <string>configuration_content_security_policy</string> </key> <key> <string>configuration_content_security_policy</string> </key>
<value> <string>default-src \'self\'; img-src \'self\' data: blob:; media-src \'self\' blob:; connect-src \'self\' lab.nexedi.com data:; script-src \'self\'; font-src \'self\'; style-src \'self\' data:; frame-src \'self\' data:</string> </value> <value> <string>default-src \'self\'; img-src \'self\' data: blob:; media-src \'self\' blob:; connect-src \'self\' lab.nexedi.com data:; script-src \'unsafe-eval\' \'self\'; font-src \'self\'; style-src \'self\' data:; frame-src \'self\' data:</string> </value>
</item> </item>
<item> <item>
<key> <string>configuration_default_view_action_reference</string> </key> <key> <string>configuration_default_view_action_reference</string> </key>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment