fix csp for sentry

This commit is contained in:
codl 2017-08-28 01:50:16 +02:00
parent e8f45c1af6
commit 16f6739189
No known key found for this signature in database
GPG Key ID: 6CD7C8891ED1233A
1 changed files with 6 additions and 1 deletions

7
app.py
View File

@ -74,7 +74,12 @@ limiter = Limiter(app, key_func=rate_limit_key)
@app.after_request @app.after_request
def install_security_headers(resp): def install_security_headers(resp):
csp = "default-src 'none'; img-src 'self' https: http:; script-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'" csp = "default-src 'none'; img-src 'self' https: http:; style-src 'self' 'unsafe-inline'; connect-src 'self'; frame-ancestors 'none'"
if 'SENTRY_DSN' in app.config:
csp += "; script-src 'self' https://cdn.ravenjs.com/"
else:
csp += "; script-src 'self'"
if 'CSP_REPORT_URI' in app.config: if 'CSP_REPORT_URI' in app.config:
csp += "; report-uri " + app.config.get('CSP_REPORT_URI') csp += "; report-uri " + app.config.get('CSP_REPORT_URI')
resp.headers.set('Content-Security-Policy', csp) resp.headers.set('Content-Security-Policy', csp)