From 39fd3066d97ecb10078d3755d31f136fcaf04777 Mon Sep 17 00:00:00 2001
From: Pedro Ferreira <pedro.ferreira@cern.ch>
Date: Fri, 12 Feb 2016 10:19:46 +0100
Subject: [PATCH] Remove Cloudflare's CDN from whitelist

Angular + Prototype are exploitable when together :/
---
 previewer_jupyter/indico_previewer_jupyter/controllers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/previewer_jupyter/indico_previewer_jupyter/controllers.py b/previewer_jupyter/indico_previewer_jupyter/controllers.py
index 0f1631c..e2005da 100644
--- a/previewer_jupyter/indico_previewer_jupyter/controllers.py
+++ b/previewer_jupyter/indico_previewer_jupyter/controllers.py
@@ -57,7 +57,7 @@ class RHEventPreviewIPyNB(RH):
 
         response = current_app.response_class(html)
         # Use CSP to restrict access to possibly malicious scripts or inline JS
-        csp_header = "script-src cdn.mathjax.org cdnjs.cloudflare.com 'nonce-{}';".format(nonce)
+        csp_header = "script-src cdn.mathjax.org 'nonce-{}';".format(nonce)
         response.headers['Content-Security-Policy'] = csp_header
         response.headers['X-Webkit-CSP'] = csp_header
         # IE10 doesn't have proper CSP support, so we need to be more strict