From b526f1522bbad2d000fd4abcf819408ebf1909ec Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Tue, 14 May 2024 14:23:56 +0100 Subject: [PATCH] Extract styles to file and harden CSP --- calmerge/static/listing.css | 9 +++++++++ calmerge/templates/listing.html | 12 +----------- calmerge/views.py | 10 ++++++---- 3 files changed, 16 insertions(+), 15 deletions(-) create mode 100644 calmerge/static/listing.css diff --git a/calmerge/static/listing.css b/calmerge/static/listing.css new file mode 100644 index 0000000..9922347 --- /dev/null +++ b/calmerge/static/listing.css @@ -0,0 +1,9 @@ +table { + min-width: 50vw; + max-width: 100vw; +} + +td { + text-align: center; + padding: 0.75rem; +} diff --git a/calmerge/templates/listing.html b/calmerge/templates/listing.html index 755a100..24fbebe 100644 --- a/calmerge/templates/listing.html +++ b/calmerge/templates/listing.html @@ -3,17 +3,7 @@ Calmerge - +

Calmerge

diff --git a/calmerge/views.py b/calmerge/views.py index 632d72e..42bd2bc 100644 --- a/calmerge/views.py +++ b/calmerge/views.py @@ -52,9 +52,7 @@ async def calendar_listing(request: web.Request) -> web.Response: raise web.HTTPUnauthorized(headers={hdrs.WWW_AUTHENTICATE: "Basic"}) response = aiohttp_jinja2.render_template("listing.html", request, {}) - response.headers["Content-Security-Policy"] = ( - "default-src 'self'; style-src 'unsafe-inline'" - ) + response.headers["Content-Security-Policy"] = "default-src 'self'" return response @@ -66,6 +64,10 @@ async def calendar_html(request: web.Request) -> web.Response: if calendar_config is None: raise web.HTTPNotFound() - return aiohttp_jinja2.render_template( + response = aiohttp_jinja2.render_template( "calendar.html", request, {"calendar": calendar_config} ) + response.headers["Content-Security-Policy"] = ( + "default-src 'self' https://cdn.jsdelivr.net 'unsafe-inline'; script-src 'self' https://cdn.jsdelivr.net; font-src data:" + ) + return response