aboutsummaryrefslogtreecommitdiffstats
path: root/web/web.go
diff options
context:
space:
mode:
authorAdam Mathes <adam@adammathes.com>2026-02-14 10:14:09 -0800
committerAdam Mathes <adam@adammathes.com>2026-02-14 10:14:09 -0800
commit00512c639841dac9ca8d1cff5c2532ce7584eb15 (patch)
tree6e9950385b3e4fbd63b044fb830d53541ae61cf0 /web/web.go
parent9d3b2a90316a1a5f735845f61abbd8a875529060 (diff)
downloadneko-00512c639841dac9ca8d1cff5c2532ce7584eb15.tar.gz
neko-00512c639841dac9ca8d1cff5c2532ce7584eb15.tar.bz2
neko-00512c639841dac9ca8d1cff5c2532ce7584eb15.zip
fix: relax CSP to allow unsafe-eval for legacy UI
Diffstat (limited to 'web/web.go')
-rw-r--r--web/web.go2
1 files changed, 1 insertions, 1 deletions
diff --git a/web/web.go b/web/web.go
index 6c8e632..ffec8b9 100644
--- a/web/web.go
+++ b/web/web.go
@@ -401,7 +401,7 @@ func SecurityHeadersMiddleware(next http.Handler) http.Handler {
// style-src 'self' 'unsafe-inline' (for React/styled-components if used)
// img-src 'self' data: * (RSS images can be from anywhere)
// connect-src 'self' (API calls)
- w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: *; connect-src 'self'; frame-ancestors 'none';")
+ w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: *; connect-src 'self'; frame-ancestors 'none';")
next.ServeHTTP(w, r)
})
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-25 14:49:32 +0000