From 1757f1d4e3782fdc2ab741dece300d360361c25c Mon Sep 17 00:00:00 2001
From: Justin Geibel <jtgeibel@gmail.com>
Date: Tue, 7 Jan 2020 23:49:15 -0500
Subject: [PATCH] Add 'unsafe-inline' for style-src CSP

---
 src/middleware/security_headers.rs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/middleware/security_headers.rs b/src/middleware/security_headers.rs
index 1641c3bbce5..969431308aa 100644
--- a/src/middleware/security_headers.rs
+++ b/src/middleware/security_headers.rs
@@ -39,13 +39,15 @@ impl SecurityHeaders {
         // to load scripts. Remove 'unsafe-eval' if google fixes the issue:
         // https://github.com/google/google-visualization-issues/issues/1356
         // or if we switch to a different graph generation library.
+        //
+        // 'unsafe-inline' for style-src is necessary for Google Charts
         headers.insert(
             "Content-Security-Policy".into(),
             vec![format!(
                 "default-src 'self'; \
                  connect-src 'self' https://docs.rs https://{}; \
                  script-src 'self' 'unsafe-eval' https://www.google.com; \
-                 style-src 'self' https://www.google.com https://ajax.googleapis.com; \
+                 style-src 'self' 'unsafe-inline' https://www.google.com https://ajax.googleapis.com; \
                  img-src *; \
                  object-src 'none'",
                 s3_host