|
|
|
@ -96,7 +96,7 @@ server { |
|
|
|
set $workerSrc "https://${main_domain}"; |
|
|
|
|
|
|
|
# script-src specifies valid sources for javascript, including inline handlers |
|
|
|
set $scriptSrc "'self' ${main_domain}"; |
|
|
|
set $scriptSrc "'self' resource: ${main_domain}"; |
|
|
|
|
|
|
|
set $unsafe 0; |
|
|
|
# the following assets are loaded via the sandbox domain |
|
|
|
@ -110,7 +110,7 @@ server { |
|
|
|
|
|
|
|
# privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied |
|
|
|
if ($unsafe) { |
|
|
|
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' ${main_domain}"; |
|
|
|
set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: ${main_domain}"; |
|
|
|
} |
|
|
|
|
|
|
|
# Finally, set all the rules you composed above. |
|
|
|
|