hotfix(v1.7.11): add unsafe-eval to CSP for Alpine.js

hotfix(v1.7.10): add font-src to CSP for data URI fonts
2026-04-27 10:39:33 +02:00 · 2026-04-27 10:32:35 +02:00
2 changed files with 4 additions and 3 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-1.7.9
+1.7.11
--- a/backend/main.py
+++ b/backend/main.py
@@ -92,12 +92,13 @@ async def cache_control_middleware(request: Request, call_next):
    if request.url.path.startswith("/api/") or request.url.path in ("/", "/index.html"):
        response.headers["Content-Security-Policy"] = (
            "default-src 'self'; "
-            "script-src 'self' 'unsafe-inline' cdn.jsdelivr.net alcdn.msauth.net; "
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.jsdelivr.net alcdn.msauth.net; "
            "style-src 'self' 'unsafe-inline'; "
            "connect-src 'self' https://login.microsoftonline.com; "
            "frame-src 'self' https://login.microsoftonline.com; "
            "form-action 'self' https://login.microsoftonline.com; "
-            "img-src 'self' data:;"
+            "img-src 'self' data:; "
+            "font-src 'self' data:;"
        )
    return response
Author	SHA1	Message	Date
Tomas Kracmar	c086fa4260	hotfix(v1.7.11): add unsafe-eval to CSP for Alpine.js All checks were successful CI / lint-and-test (push) Successful in 1m26s Details Release / build-and-push (push) Successful in 3m1s Details	2026-04-27 10:39:33 +02:00
Tomas Kracmar	be700fefc3	hotfix(v1.7.10): add font-src to CSP for data URI fonts All checks were successful CI / lint-and-test (push) Successful in 1m29s Details Release / build-and-push (push) Successful in 2m53s Details	2026-04-27 10:32:35 +02:00
@@ -1 +1 @@
 .7.9
 .7.11