max / makenotwork

Allow inline scripts in CSP script-src 'self' without 'unsafe-inline' blocks all onclick handlers and inline <script> blocks, breaking tab navigation and file uploads. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Max J. <87768334+MaxJMath@users.noreply.github.com> · 2026-05-10 18:16 UTC

Commit: 1122609cec0e5aa16f0dd84b0863b5bde403db6f

Parent: 36f6e08

1 file changed, +1 insertion, -1 deletion

M server/src/lib.rs +1 -1

			@@ -239,7 +239,7 @@ async fn security_headers_middleware(
239	239		None => "media-src 'self'".to_string(),
240	240		};
241	241		let csp = format!(
242		-	"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; \
	242	+	"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; \
243	243		img-src 'self' data: https:; font-src 'self'; connect-src 'self'; \
244	244		{media_src}; frame-ancestors 'none'"
245	245		);