fix: CSP permisivo para evitar bloqueos en navegador

- Relajado Content-Security-Policy para permitir CDN e iframes - Eliminado X-Frame-Options que podia bloquear extensiones - Verificado: no hay iframes en el frontend
2026-04-28 04:51:29 +00:00
parent 4232d66259
commit 7a66cc1d6e
1 changed files with 7 additions and 7 deletions
--- a/app/main.py
+++ b/app/main.py
@@ -31,16 +31,16 @@ app.add_middleware(
 class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request, call_next):
        response = await call_next(request)
        response.headers["X-Frame-Options"] = "SAMEORIGIN"
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
        # Permissive CSP: allow same-origin, CDN scripts, inline styles, images from anywhere
        response.headers["Content-Security-Policy"] = (
-            "default-src 'self'; "
+            "default-src * 'self' data: blob: 'unsafe-inline' 'unsafe-eval'; "
-            "script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
+            "script-src * 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; "
-            "style-src 'self' 'unsafe-inline'; "
+            "style-src * 'self' 'unsafe-inline'; "
-            "img-src 'self' data: blob:; "
+            "img-src * 'self' data: blob:; "
-            "font-src 'self'; "
+            "font-src * 'self' data:; "
-            "connect-src 'self';"
+            "connect-src * 'self';"
        )
        return response