From d1417a413d8ea7e3c751a1c40e922a5d3e0fbf19 Mon Sep 17 00:00:00 2001
From: Pedro Ferreira <pedro.ferreira@cern.ch>
Date: Wed, 10 Feb 2016 17:06:20 +0100
Subject: [PATCH] Jupyter: Stricter CSP - disallow local JS

Users can add JS as attachments, which will be executed. Would allow XSS
from malicious users.
---
 previewer_jupyter/indico_previewer_jupyter/controllers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/previewer_jupyter/indico_previewer_jupyter/controllers.py b/previewer_jupyter/indico_previewer_jupyter/controllers.py
index 9207779..7e4c7b2 100644
--- a/previewer_jupyter/indico_previewer_jupyter/controllers.py
+++ b/previewer_jupyter/indico_previewer_jupyter/controllers.py
@@ -54,7 +54,7 @@ class RHEventPreviewIPyNB(RH):
 
         response = current_app.response_class(html)
         # Use CSP to restrict access to possibly malicious scripts or inline JS
-        csp_header = "script-src 'self' cdn.mathjax.org cdnjs.cloudflare.com 'unsafe-eval';"
+        csp_header = "script-src cdn.mathjax.org cdnjs.cloudflare.com 'unsafe-eval';"
         response.headers['Content-Security-Policy'] = csp_header
         response.headers['X-Webkit-CSP'] = csp_header
         # IE10 doesn't have proper CSP support, so we need to be more strict