safeweb: allow object-src: self in CSP (#11782)
This change is safe (self is still safe, by definition), and makes the code match the comment. Updates #cleanup Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
This commit is contained in:
parent
e775de3c63
commit
bdfaef4879
|
@ -89,7 +89,7 @@ var defaultCSP = strings.Join([]string{
|
|||
`form-action 'self'`, // disallow form submissions to other origins
|
||||
`base-uri 'self'`, // disallow base URIs from other origins
|
||||
`block-all-mixed-content`, // disallow mixed content when serving over HTTPS
|
||||
`object-src 'none'`, // disallow embedding of resources from other origins
|
||||
`object-src 'self'`, // disallow embedding of resources from other origins
|
||||
}, "; ")
|
||||
|
||||
// Config contains the configuration for a safeweb server.
|
||||
|
|
Loading…
Reference in New Issue