Fix CSP style-src-elem allowlist

2026-01-24 23:16:23 +01:00
parent 694ce218c9
commit 8414305ea3
2 changed files with 7 additions and 9 deletions
--- a/app/Http/Middleware/ContentSecurityPolicy.php
+++ b/app/Http/Middleware/ContentSecurityPolicy.php
@@ -48,15 +48,6 @@ class ContentSecurityPolicy
            "'nonce-{$styleNonce}'",
            'https:',
        ];
-        $styleElemSources = [];
-        if ($allowUnsafeInlineStyles) {
-            $styleElemSources = [
-                "'self'",
-                "'unsafe-inline'",
-                'https:',
-                'data:',
-            ];
-        }

        $connectSources = [
            "'self'",
@@ -129,6 +120,11 @@ class ContentSecurityPolicy
        $styleSources[] = 'data:';
        $connectSources[] = 'https:';
        $fontSources[] = 'https:';
+        $styleElemSources = $styleSources;
+
+        if ($allowUnsafeInlineStyles) {
+            $styleElemSources = array_unique(array_merge($styleElemSources, ["'unsafe-inline'"]));
+        }

        $directives = [
            'default-src' => ["'self'"],