doc link to svelte unsafe-inline issue

sebadob · Jul 10, 2023 · 85fbafe · 85fbafe
1 parent 1ffed65
commit 85fbafe
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 6 deletions.
diff --git a/rauthy-handlers/src/lib.rs b/rauthy-handlers/src/lib.rs
@@ -111,9 +111,11 @@ fn add_req_mfa_cookie(
 
 pub fn build_csp_header(nonce: &str) -> (&str, String) {
     // Note: The unsafe-inline for the style-src currently has an open issue on the svelte repo.
-    // As soon as this is fixed, we can get rid of it.y
+    // As soon as this is fixed, we can get rid of it:
+    // https://github.com/sveltejs/svelte/issues/6662
+
     // let value = format!(
-    //     "default-src 'self'; script-src 'strict-dynamic' 'nonce-{}'; style-src 'strict-dynamic' 'nonce-{}'; \
+    //     "default-src 'self'; script-src 'strict-dynamic' 'nonce-{}'; style-src 'self' 'nonce-{}'; \
     //     frame-ancestors 'self'; object-src 'none'; img-src 'self' data:;",
     //     nonce, nonce,
     // );

diff --git a/rauthy-main/src/main.rs b/rauthy-main/src/main.rs
@@ -245,10 +245,7 @@ async fn actix_main(app_state: web::Data<AppState>) -> std::io::Result<()> {
                     .add(("x-robots-tag", "none"))
                     .add((
                         "content-security-policy",
-                        // unsafe-inline is currently needed, since svelte does currently need this
-                        // for the initial static hydration script. An issue is open about this and
-                        // this will most probably solved soon.
-                        "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; object-src 'none'; img-src 'self' data:;",
+                        "default-src 'self'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; object-src 'none'; img-src 'self' data:;",
                     ))
                     .add(("cache-control", "no-store"))
                     .add(("pragma", "no-cache")),