WEBUI-1446: CSP headers without the insecure unsafe-inline

nuxeo · Feb 23, 2024 · b3dbe12 · b3dbe12
1 parent e772d8a
commit b3dbe12
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/index.html b/index.html
@@ -57,7 +57,10 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0" />
 
     <!-- Content security policy (needs Nuxeo.UI.config.expressions.eval = false) -->
-    <!-- meta http-equiv="Content-Security-Policy" content="img-src data: blob: *; default-src blob: *; script-src data: * 'nonce-dummy'; style-src 'unsafe-inline' *; font-src data: *" -->
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="img-src data: blob: *; default-src blob: *; script-src data: * 'nonce-dummy'; style-src 'unsafe-inline' *; font-src data: *"
+    />
 
     <link rel="stylesheet" type="text/css" href="index.css" />
   </head>
@@ -116,7 +119,7 @@
               ],
               blob: ['appLinks', 'preview'],
             },
-            // expressions: { eval: false },
+            expressions: { eval: false },
             dateFormat: 'LL',
             dateTimeFormat: 'LLL',
             firstDayOfWeek: '',