cqrenet/aoc
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 29 Wiki Activity

v1.7.13: switch Alpine.js to CSP build, remove unsafe-eval from CSP
All checks were successful
Release / build-and-push (push) Successful in 41s
Details
CI / lint-and-test (push) Successful in 25s
Details

Browse Source
This commit is contained in:
Tomas Kracmar
2026-04-27 15:48:22 +02:00
parent 07a841615b
commit de7df3f390
4 changed files with 45 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/frontend/index.html
View File

@@ -5,7 +5,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Admin Operations Center</title>
<link rel="stylesheet" href="/style.css?v=15" />
<script defer src="https://cdn.jsdelivr.net/npm/alpinejs@3.x.x/dist/cdn.min.js"></script>
<script defer src="https://cdn.jsdelivr.net/npm/@alpinejs/csp@3.x.x/dist/cdn.min.js"></script>
<script src="https://alcdn.msauth.net/browser/2.37.0/js/msal-browser.min.js" crossorigin="anonymous"></script>
</head>
<body>
@@ -1274,5 +1274,13 @@
};
}
</script>
<script>
// Alpine CSP build requires explicit start
document.addEventListener('DOMContentLoaded', function () {
if (window.Alpine && typeof window.Alpine.start === 'function') {
window.Alpine.start();
}
});
</script>
</body>
</html>

2
backend/main.py
View File

@@ -109,7 +109,7 @@ async def security_headers_middleware(request: Request, call_next):
if request.url.path.startswith("/api/") or request.url.path in ("/", "/index.html"):
response.headers["Content-Security-Policy"] = (
"default-src 'self'; "
"script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net alcdn.msauth.net; "
"script-src 'self' 'unsafe-inline' cdn.jsdelivr.net alcdn.msauth.net; "
"style-src 'self' 'unsafe-inline'; "
"connect-src 'self' https://login.microsoftonline.com; "
"frame-src 'self' https://login.microsoftonline.com; "