Home Explore Help
Sign In
Tailscale
/
tailscale
mirror of https://github.com/tailscale/tailscale.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

client/web: remove 'unsafe-inline' from CSP

I seem to recall I needed this for things to work properly with the vite
dev server, but that doesn't seem to be the case anymore?  Everything
seems to work fine without it.  If we still have issues, we'll need to
look into using a nonce or integrity attribute.

Updates #10261
Fixes tailscale/corp#16266

Signed-off-by: Will Norris <[email protected]>
Will Norris 2 years ago
parent
c2fe123232
commit
970dc2a976
1 changed files with 1 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      client/web/web.go

+ 1 - 1
client/web/web.go
View File 

@@ -253,7 +253,7 @@ func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
 
 		if !s.devMode {
 
 			w.Header().Set("X-Frame-Options", "DENY")
 
 			// TODO: use CSP nonce or hash to eliminate need for unsafe-inline
 
-			w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline'; img-src * data:")
 
+			w.Header().Set("Content-Security-Policy", "default-src 'self'; img-src * data:")
 
 			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 
 		}
 
 	}