Allow inline style elements for event-admin CSP

2026-01-24 21:16:31 +01:00
parent 684f54f58f
commit 8887d8e16c
1 changed files with 8 additions and 1 deletions
--- a/app/Http/Middleware/ContentSecurityPolicy.php
+++ b/app/Http/Middleware/ContentSecurityPolicy.php
@@ -48,8 +48,14 @@ class ContentSecurityPolicy
            "'nonce-{$styleNonce}'",
            'https:',
        ];
+        $styleElemSources = [];
        if ($allowUnsafeInlineStyles) {
-            $styleSources[] = "'unsafe-inline'";
+            $styleElemSources = [
+                "'self'",
+                "'unsafe-inline'",
+                'https:',
+                'data:',
+            ];
        }

        $connectSources = [
@@ -128,6 +134,7 @@ class ContentSecurityPolicy
            'default-src' => ["'self'"],
            'script-src' => array_unique($scriptSources),
            'style-src' => array_unique($styleSources),
+            'style-src-elem' => $styleElemSources,
            'style-src-attr' => ["'unsafe-inline'"],
            'img-src' => array_unique($imgSources),
            'font-src' => array_unique($fontSources),