Release v1.7.18: fix Alpine.js SRI + CSP, add frontend modernization roadmap
- Revert @alpinejs/csp (CSP build has no support for template literals, optional chaining, or x-html — all used in the app template); switch back to the regular alpinejs build - Pin Alpine.js to 3.15.12 with a verified SRI hash (replaces the floating @3.x.x tag that caused the integrity check failure) - Restore 'unsafe-eval' to script-src (required by Alpine.js's new Function() expression evaluator; inline script was already eliminated in v1.7.17 so 'unsafe-inline' stays removed) - Add Phase 7.5 Frontend Modernization to ROADMAP: Vue 3 + Vite migration plan that will allow a clean CSP without unsafe-eval Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+1
-1
@@ -112,7 +112,7 @@ async def security_headers_middleware(request: Request, call_next):
|
||||
if request.url.path.startswith("/api/") or request.url.path in ("/", "/index.html"):
|
||||
response.headers["Content-Security-Policy"] = (
|
||||
"default-src 'self'; "
|
||||
"script-src 'self' cdn.jsdelivr.net alcdn.msauth.net; "
|
||||
"script-src 'self' 'unsafe-eval' cdn.jsdelivr.net alcdn.msauth.net; "
|
||||
"style-src 'self' 'unsafe-inline'; "
|
||||
"connect-src 'self' https://login.microsoftonline.com; "
|
||||
"frame-src 'self' https://login.microsoftonline.com; "
|
||||
|
||||
Reference in New Issue
Block a user