miscweb: add script-src: unsafe-inline for themeroller

Closes gh-68
jquery · Nov 18, 2024 · b8f77ae · b8f77ae
1 parent 2c3adc0
commit b8f77ae
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/hieradata/environments/production/roles/miscweb.yaml b/hieradata/environments/production/roles/miscweb.yaml
@@ -46,9 +46,10 @@ profile::miscweb::sites:
       }
     php_env:
       THEMEROLLER_ZIPDIR: /var/cache/themeroller-zip
-    # style-src: lots of inline styles
+    # style-src: unsafe-inline for inline styles
+    # script-src: unsafe-inline for inline scripts
     # img-src: data: for inline images
-    csp_header: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint
+    csp_header: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint
   bugs.jquery.com:
     repository:
       name: jquery/bugs.jquery.com