From 565390303561fb101116e7166a3c5f8562c535a3 Mon Sep 17 00:00:00 2001 From: mmelko Date: Thu, 17 Oct 2024 15:28:26 +0200 Subject: [PATCH] fix(#502): extend CSP to work with monaco-editor --- docker/includes/security-headers-online.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/includes/security-headers-online.conf b/docker/includes/security-headers-online.conf index 3fce72ec..f91a84ca 100644 --- a/docker/includes/security-headers-online.conf +++ b/docker/includes/security-headers-online.conf @@ -3,4 +3,4 @@ include /etc/nginx/includes/security-headers-base.conf; # Govern what content can be loaded by the server and from where # Click jacking prevention to be used in addition to X-Frame-Options # Requires allowing inline-styles and inline data objects (svg imgs) -add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; img-src 'self' data:; frame-ancestors 'self'; form-action 'self'; "; +add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data: https://cdn.jsdelivr.net/npm/monaco-editor@0.43.0/min/; img-src 'self' data:; frame-ancestors 'self'; form-action 'self'; script-src-elem 'self' https://cdn.jsdelivr.net/npm/monaco-editor@0.43.0/min/; style-src-elem 'self' 'unsafe-inline' https://cdn.jsdelivr.net/npm/monaco-editor@0.43.0/min/;";