diff --git a/src/middleware/security_headers.rs b/src/middleware/security_headers.rs index 1641c3bbce5..969431308aa 100644 --- a/src/middleware/security_headers.rs +++ b/src/middleware/security_headers.rs @@ -39,13 +39,15 @@ impl SecurityHeaders { // to load scripts. Remove 'unsafe-eval' if google fixes the issue: // https://github.com/google/google-visualization-issues/issues/1356 // or if we switch to a different graph generation library. + // + // 'unsafe-inline' for style-src is necessary for Google Charts headers.insert( "Content-Security-Policy".into(), vec![format!( "default-src 'self'; \ connect-src 'self' https://docs.rs https://{}; \ script-src 'self' 'unsafe-eval' https://www.google.com; \ - style-src 'self' https://www.google.com https://ajax.googleapis.com; \ + style-src 'self' 'unsafe-inline' https://www.google.com https://ajax.googleapis.com; \ img-src *; \ object-src 'none'", s3_host