1 files changed, 2 insertions, 2 deletions
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
index 7b094fde..fab94689 100644
--- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -16,7 +16,7 @@ public class SecurityHeadersFilter implements Filter {
                        ServletException {
                if (response instanceof HttpServletResponse httpResponse) {
                        httpResponse.setHeader("Content-Security-Policy", "default-src 'none'; " +
-                                        "script-src 'self'; " +
+                                        "script-src 'self' 'wasm-unsafe-eval'; " +
                                        // CodeMirror needs inline styles, see e.g.,
                                        // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
                                        "style-src 'self' 'unsafe-inline'; " +
@@ -25,7 +25,7 @@ public class SecurityHeadersFilter implements Filter {
                                        "font-src 'self'; " +
                                        "connect-src 'self'; " +
                                        "manifest-src 'self'; " +
-                                        "worker-src 'self';");
+                                        "worker-src 'self' blob:;");
                        httpResponse.setHeader("X-Content-Type-Options", "nosniff");
                        httpResponse.setHeader("X-Frame-Options", "DENY");
                        httpResponse.setHeader("Referrer-Policy", "strict-origin");

diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java index 7b094fde..fab94689 100644 --- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java +++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -16,7 +16,7 @@ public class SecurityHeadersFilter implements Filter {
16	ServletException {	16	ServletException {
17	if (response instanceof HttpServletResponse httpResponse) {	17	if (response instanceof HttpServletResponse httpResponse) {
18	httpResponse.setHeader("Content-Security-Policy", "default-src 'none'; " +	18	httpResponse.setHeader("Content-Security-Policy", "default-src 'none'; " +
19	"script-src 'self'; " +	19	"script-src 'self' 'wasm-unsafe-eval'; " +
20	// CodeMirror needs inline styles, see e.g.,	20	// CodeMirror needs inline styles, see e.g.,
21	// https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2	21	// https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
22	"style-src 'self' 'unsafe-inline'; " +	22	"style-src 'self' 'unsafe-inline'; " +
@@ -25,7 +25,7 @@ public class SecurityHeadersFilter implements Filter {
25	"font-src 'self'; " +	25	"font-src 'self'; " +
26	"connect-src 'self'; " +	26	"connect-src 'self'; " +
27	"manifest-src 'self'; " +	27	"manifest-src 'self'; " +
28	"worker-src 'self';");	28	"worker-src 'self' blob:;");
29	httpResponse.setHeader("X-Content-Type-Options", "nosniff");	29	httpResponse.setHeader("X-Content-Type-Options", "nosniff");
30	httpResponse.setHeader("X-Frame-Options", "DENY");	30	httpResponse.setHeader("X-Frame-Options", "DENY");
31	httpResponse.setHeader("Referrer-Policy", "strict-origin");	31	httpResponse.setHeader("Referrer-Policy", "strict-origin");