Fix: add scriptSrcAttr unsafe-inline to allow onclick handlers
Helmet 8 adds script-src-attr: 'none' by default which blocks ALL inline event attribute handlers (onclick, onchange, etc.) regardless of script-src unsafe-inline. This silently broke every onclick button: copy, read aloud, nextcloud upload, generate, record, etc.
This commit is contained in:
parent
9f2dee0875
commit
3e4ebe579e
1 changed files with 2 additions and 1 deletions
|
|
@ -19,7 +19,8 @@ app.use(helmet({
|
|||
contentSecurityPolicy: {
|
||||
directives: {
|
||||
defaultSrc: ["'self'"],
|
||||
scriptSrc: ["'self'", "'unsafe-inline'"], // unsafe-inline needed for onclick handlers in HTML
|
||||
scriptSrc: ["'self'", "'unsafe-inline'"],
|
||||
scriptSrcAttr: ["'unsafe-inline'"], // allow onclick/onchange attribute handlers
|
||||
styleSrc: ["'self'", "'unsafe-inline'", 'https://fonts.googleapis.com', 'https://cdnjs.cloudflare.com'],
|
||||
fontSrc: ["'self'", 'https://fonts.gstatic.com', 'https://cdnjs.cloudflare.com'],
|
||||
imgSrc: ["'self'", 'data:', 'blob:'],
|
||||
|
|
|
|||
Loading…
Reference in a new issue