consultoria-as/stl-repo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: CSP permisivo para evitar bloqueos en navegador

Browse Source 
- Relajado Content-Security-Policy para permitir CDN e iframes
- Eliminado X-Frame-Options que podia bloquear extensiones
- Verificado: no hay iframes en el frontend
This commit is contained in:
Consultoria AS
2026-04-28 04:51:29 +00:00
parent 4232d66259
commit 7a66cc1d6e
1 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/main.py
View File

@@ -31,16 +31,16 @@ app.add_middleware(
class SecurityHeadersMiddleware(BaseHTTPMiddleware):
async def dispatch(self, request, call_next):
response = await call_next(request)
response.headers["X-Frame-Options"] = "SAMEORIGIN"
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
# Permissive CSP: allow same-origin, CDN scripts, inline styles, images from anywhere
response.headers["Content-Security-Policy"] = (
"default-src 'self'; "
"script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
"style-src 'self' 'unsafe-inline'; "
"img-src 'self' data: blob:; "
"font-src 'self'; "
"connect-src 'self';"
"default-src * 'self' data: blob: 'unsafe-inline' 'unsafe-eval'; "
"script-src * 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
"style-src * 'self' 'unsafe-inline'; "
"img-src * 'self' data: blob:; "
"font-src * 'self' data:; "
"connect-src * 'self';"
)
return response