Commit e79dbd2f7ae0

Vincent Demeester <vincent@sbr.pm>
2026-04-01 17:16:33
caddy: relax CSP to allow unsafe-inline styles for vincent.demeester.fr
Needed for the flux design sandbox accent color picker which sets CSS custom properties via JS element.style. Scripts remain locked to 'self' only (no unsafe-inline for script-src).
main
1 parent ef78858
Changed files (2)
systems
carthage
extra.nix
kerkouane
extra.nix
systems/carthage/extra.nix
@@ -15,7 +15,7 @@ let
       X-Frame-Options "SAMEORIGIN"
       Referrer-Policy "strict-origin-when-cross-origin"
       Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"
-      Content-Security-Policy "default-src 'self' *.sbr.pm *.demeester.fr"
+      Content-Security-Policy "default-src 'self' *.sbr.pm *.demeester.fr; style-src 'self' 'unsafe-inline'; script-src 'self'"
       X-XSS-Protection "1; mode=block"
       Cache-Control "public, max-age=604800, immutable"
       -Server
systems/kerkouane/extra.nix
@@ -15,7 +15,7 @@ let
       X-Frame-Options "SAMEORIGIN"
       Referrer-Policy "strict-origin-when-cross-origin"
       Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"
-      Content-Security-Policy "default-src 'self' *.sbr.pm *.demeester.fr"
+      Content-Security-Policy "default-src 'self' *.sbr.pm *.demeester.fr; style-src 'self' 'unsafe-inline'; script-src 'self'"
       X-XSS-Protection "1; mode=block"
       Cache-Control "public, max-age=604800, immutable"
       -Server