lucaspalomodevelop/indico-plugins
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/indico-plugins.git synced 2026-03-13 07:29:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Jupyter: Stricter CSP - disallow local JS

Browse Source 
Users can add JS as attachments, which will be executed. Would allow XSS
from malicious users.
This commit is contained in:
Pedro Ferreira 2016-02-10 17:06:20 +01:00
parent 4ed19485ec
commit d1417a413d
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
previewer_jupyter/indico_previewer_jupyter/controllers.py
View File

@ -54,7 +54,7 @@ class RHEventPreviewIPyNB(RH):
response = current_app.response_class(html)
# Use CSP to restrict access to possibly malicious scripts or inline JS
csp_header = "script-src 'self' cdn.mathjax.org cdnjs.cloudflare.com 'unsafe-eval';"
csp_header = "script-src cdn.mathjax.org cdnjs.cloudflare.com 'unsafe-eval';"
response.headers['Content-Security-Policy'] = csp_header
response.headers['X-Webkit-CSP'] = csp_header
# IE10 doesn't have proper CSP support, so we need to be more strict