Nice.

Browse Source
This commit is contained in:
retoor 2025-06-14 13:02:53 +02:00
parent 6a905c1948
commit 3872dafaf1
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/snek/system/middleware.py
View File

@ -5,13 +5,15 @@
import secrets import secrets
from aiohttp import web from aiohttp import web
@web.middleware @web.middleware
async def csp_middleware(request, handler): async def csp_middleware(request, handler):
nonce = secrets.token_hex(16) nonce = secrets.token_hex(16)
origin = request.headers.get('Origin')
csp_policy = ( csp_policy = (
"default-src 'self'; " "default-src 'self'; "
f"script-src 'self' https://umami.molodetz.nl 'nonce-{nonce}'; " f"script-src 'self' {origin} 'nonce-{nonce}'; "
"style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; " f"style-src 'self' 'unsafe-inline' {origin} 'nonce-{nonce}'; "
"img-src *; " "img-src *; "
"connect-src 'self' https://umami.molodetz.nl; " "connect-src 'self' https://umami.molodetz.nl; "
"font-src *; " "font-src *; "
@ -28,6 +30,7 @@ async def csp_middleware(request, handler):
response.headers['Content-Security-Policy'] = csp_policy response.headers['Content-Security-Policy'] = csp_policy
return response return response
@web.middleware @web.middleware
async def no_cors_middleware(request, handler): async def no_cors_middleware(request, handler):
response = await handler(request) response = await handler(request)

2
src/snek/templates/sandbox.html
View File

@ -1,6 +1,6 @@
<div id="star-tooltip" class="star-tooltip"></div> <div id="star-tooltip" class="star-tooltip"></div>
<div id="star-popup" class="star-popup"></div> <div id="star-popup" class="star-popup"></div>
<script type="module"> <script type="module" nonce="{{nonce}}">
import { app } from "/app.js"; import { app } from "/app.js";
import {WebTerminal} from "/dumb-term.js"; import {WebTerminal} from "/dumb-term.js";