language-servers/roc
1
0
Fork 0
mirror of https://github.com/roc-lang/roc.git synced 2025-10-03 16:44:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

Revert "Give up on CSP blocking inline <style>s"

Browse source 
This reverts commit 5829d1320a.
This commit is contained in:
Richard Feldman 2022-11-19 04:51:10 -05:00
parent fa68d860b1
commit 951fc5a8ed
No known key found for this signature in database
GPG key ID: F1F21AA5B1D9E43B
1 changed files with 7 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
www/netlify.toml
View file

@ -20,9 +20,13 @@
#
# This style-src hash is to permit the <style> in the favicon so it looks good in both light and
# dark mode. Favicons can only do this using inline <style> tags, so this exception is needed!
# In the past we tried doing this via a sha256 hash, which is supposedly possible but in practice
# always seemed to result in the browser rejecting everything, leaving the page unstyled.
Content-Security-Policy = "default-src 'self'; img-src *; script-src 'self' 'unsafe-eval'; style-src 'unsafe-inline';"
#
# When changing the favicon's <style>, generate a new hash and put it here using:
#
# $ echo -n "polygon {fill: #7d59dd;}@media (prefers-color-scheme: dark) {polygon {fill: #9c7bea;}}" | openssl dgst -sha256 -binary | openssl enc -base64
#
# Details on how this works: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
Content-Security-Policy = "default-src 'self'; img-src *; script-src 'self' 'unsafe-eval'; style-src 'sha256-LBYRCm8plH1PNnz1FlahQzgfRJUayryYlxVEGFwsTNo=';"
X-Content-Type-Options = "nosniff"
# Firefox prefetch requires some cache-control to be set
# See https://bugzilla.mozilla.org/show_bug.cgi?id=1527334