From 3872dafaf1eff40ec8c2ef63017a1cddb97a1425 Mon Sep 17 00:00:00 2001
From: retoor <retoor@molodetz.nl>
Date: Sat, 14 Jun 2025 13:02:53 +0200
Subject: [PATCH] Nice.

---
 src/snek/system/middleware.py   | 7 +++++--
 src/snek/templates/sandbox.html | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/snek/system/middleware.py b/src/snek/system/middleware.py
index cb2f6bd..8e8a906 100644
--- a/src/snek/system/middleware.py
+++ b/src/snek/system/middleware.py
@@ -5,13 +5,15 @@
 import secrets
 from aiohttp import web
 
+
 @web.middleware
 async def csp_middleware(request, handler):
     nonce = secrets.token_hex(16)
+    origin = request.headers.get('Origin')
     csp_policy = (
         "default-src 'self'; "
-        f"script-src 'self' https://umami.molodetz.nl 'nonce-{nonce}'; "
-        "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+        f"script-src 'self' {origin} 'nonce-{nonce}'; "
+        f"style-src 'self' 'unsafe-inline' {origin} 'nonce-{nonce}'; "
         "img-src *; "
         "connect-src 'self' https://umami.molodetz.nl; "
         "font-src *; "
@@ -28,6 +30,7 @@ async def csp_middleware(request, handler):
     response.headers['Content-Security-Policy'] = csp_policy
     return response
 
+
 @web.middleware
 async def no_cors_middleware(request, handler):
     response = await handler(request)
diff --git a/src/snek/templates/sandbox.html b/src/snek/templates/sandbox.html
index 4949247..7e2a038 100644
--- a/src/snek/templates/sandbox.html
+++ b/src/snek/templates/sandbox.html
@@ -1,6 +1,6 @@
 <div id="star-tooltip" class="star-tooltip"></div>
 <div id="star-popup" class="star-popup"></div>
-<script type="module">
+<script type="module" nonce="{{nonce}}">
 import { app } from "/app.js";
 import {WebTerminal} from "/dumb-term.js";