From 7e1d862d2662dfd3b69bde704491a57741ac2d31 Mon Sep 17 00:00:00 2001 From: hiteshjambhale Date: Wed, 15 Jul 2026 16:50:02 +0530 Subject: [PATCH 1/2] feat: use per-request nonce in CSP to drop 'unsafe-inline'/'unsafe-eval' (#7599) Harden the default Content-Security-Policy so inline scripts run only via a per-request nonce instead of a blanket 'unsafe-inline', and drop 'unsafe-eval'. - Generate a per-request nonce (secrets.token_urlsafe) cached on flask.g so the exact same value is emitted in templates and the CSP response header. - Substitute a {nonce} placeholder in CONTENT_SECURITY_POLICY at runtime. - Tag inline + - - - - - - - + + + + + - {% if is_desktop_mode and is_linux %} - {% endif %} diff --git a/web/pgadmin/tools/erd/templates/erd/index.html b/web/pgadmin/tools/erd/templates/erd/index.html index 363986e4100..8597651aa00 100644 --- a/web/pgadmin/tools/erd/templates/erd/index.html +++ b/web/pgadmin/tools/erd/templates/erd/index.html @@ -5,7 +5,7 @@ {% endblock %} {% block body %} -