Add quotes and be explicity about script-src

This commit is contained in:
Erik Johnston 2016-09-05 17:35:01 +01:00
parent 662b031a30
commit d51b8a1674
1 changed files with 2 additions and 1 deletions

View File

@ -47,7 +47,8 @@ class DownloadResource(Resource):
def _async_render_GET(self, request): def _async_render_GET(self, request):
request.setHeader( request.setHeader(
"Content-Security-Policy", "Content-Security-Policy",
"default-src none;" "default-src 'none';"
" script-src 'none';"
" plugin-types application/pdf;" " plugin-types application/pdf;"
" style-src 'unsafe-inline';" " style-src 'unsafe-inline';"
" object-src 'self';" " object-src 'self';"