File tree Expand file tree Collapse file tree 2 files changed +2
-2
lines changed
Expand file tree Collapse file tree 2 files changed +2
-2
lines changed Original file line number Diff line number Diff line change @@ -81,7 +81,7 @@ map $arg_st $redirect_single_prefix {
8181map $request_uri $central_frontend_csp {
8282 # Web Forms CSP for /f/... and /projects/.../forms/... routes
8383 ~^/(?:f/[^/]+(?:/.*)?|projects/\d+/forms/[^/]+/(?:(?:draft/)?(?:preview|submissions/new(?:/offline)?)|submissions/[^/]+/edit)(?:/)?)(?:\?.*)?$
84- "default-src 'none'; connect-src 'self' https:; font-src 'self' data:; frame-src 'none '; img-src blob: https:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src blob:; report-uri /csp-report";
84+ "default-src 'none'; connect-src 'self' https:; font-src 'self' data:; frame-src 'self '; img-src blob: https:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; worker-src blob:; report-uri /csp-report";
8585
8686 default
8787 "default-src 'none'; connect-src 'self' https://translate.google.com https://translate.googleapis.com; font-src 'self'; frame-src 'self' https://getodk.github.io/central/news.html; img-src data: https:; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; style-src-attr 'unsafe-inline'; worker-src blob:; report-uri /csp-report";
Original file line number Diff line number Diff line change @@ -125,7 +125,7 @@ const contentSecurityPolicies = {
125125 self ,
126126 'data:' ,
127127 ] ,
128- 'frame-src' : none ,
128+ 'frame-src' : self , // web-forms pages also host /enketo-passthrough/ URLs via iframes
129129 'img-src' : [
130130 'blob:' ,
131131 'https:' ,
You can’t perform that action at this time.
0 commit comments