diff --git a/web/config.py b/web/config.py index f39c6085198..b96732a159a 100644 --- a/web/config.py +++ b/web/config.py @@ -144,8 +144,29 @@ # such as JavaScript, CSS, or pretty much anything that the browser loads. # see https://content-security-policy.com/#source_list for more info # e.g. "default-src https: data: 'unsafe-inline' 'unsafe-eval';" -CONTENT_SECURITY_POLICY = "default-src ws: http: data: blob: 'unsafe-inline'" \ - " 'unsafe-eval';" +# +# A per-request nonce is used in place of 'unsafe-inline' for scripts. The +# literal token {nonce} anywhere in the policy is replaced at runtime with a +# freshly generated nonce that is also emitted on pgAdmin's inline + - - - - - - - + + + + +
- {% if is_desktop_mode and is_linux %} - {% endif %} diff --git a/web/pgadmin/tools/erd/templates/erd/index.html b/web/pgadmin/tools/erd/templates/erd/index.html index 363986e4100..8597651aa00 100644 --- a/web/pgadmin/tools/erd/templates/erd/index.html +++ b/web/pgadmin/tools/erd/templates/erd/index.html @@ -5,7 +5,7 @@ {% endblock %} {% block body %} -