fix: revert custom CSP - Helmet defaults are correct
Inline script was already extracted to swagger-init.js (BUG-004/005). Helmet defaults allow style-src unsafe-inline and font-src https, so Google Fonts and inline styles work without custom directives.
This commit is contained in:
OpenClaw
parent
6aa1fa4d84
commit
922230c108
1 changed files with 1 additions and 12 deletions
13
src/index.ts
13
src/index.ts
|
|
@ -23,18 +23,7 @@ const PORT = parseInt(process.env.PORT || "3100", 10);
|
||||||
// Load API keys from persistent store
|
// Load API keys from persistent store
|
||||||
loadKeys();
|
loadKeys();
|
||||||
|
|
||||||
app.use(helmet({
|
app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } }));
|
||||||
crossOriginResourcePolicy: { policy: "cross-origin" },
|
|
||||||
contentSecurityPolicy: {
|
|
||||||
directives: {
|
|
||||||
defaultSrc: ["'self'"],
|
|
||||||
scriptSrc: ["'self'", "'unsafe-inline'"],
|
|
||||||
styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com"],
|
|
||||||
imgSrc: ["'self'", "data:"],
|
|
||||||
fontSrc: ["'self'", "https://fonts.gstatic.com"],
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}));
|
|
||||||
|
|
||||||
// Differentiated CORS middleware
|
// Differentiated CORS middleware
|
||||||
app.use((req, res, next) => {
|
app.use((req, res, next) => {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue