aboutsummaryrefslogtreecommitdiffstats
path: root/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
diff options
context:
space:
mode:
Diffstat (limited to 'subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java')
-rw-r--r--subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java4
1 files changed, 2 insertions, 2 deletions
diff --git a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
index 7b094fde..fab94689 100644
--- a/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
+++ b/subprojects/language-web/src/main/java/tools/refinery/language/web/SecurityHeadersFilter.java
@@ -16,7 +16,7 @@ public class SecurityHeadersFilter implements Filter {
16 ServletException { 16 ServletException {
17 if (response instanceof HttpServletResponse httpResponse) { 17 if (response instanceof HttpServletResponse httpResponse) {
18 httpResponse.setHeader("Content-Security-Policy", "default-src 'none'; " + 18 httpResponse.setHeader("Content-Security-Policy", "default-src 'none'; " +
19 "script-src 'self'; " + 19 "script-src 'self' 'wasm-unsafe-eval'; " +
20 // CodeMirror needs inline styles, see e.g., 20 // CodeMirror needs inline styles, see e.g.,
21 // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2 21 // https://discuss.codemirror.net/t/inline-styles-and-content-security-policy/1311/2
22 "style-src 'self' 'unsafe-inline'; " + 22 "style-src 'self' 'unsafe-inline'; " +
@@ -25,7 +25,7 @@ public class SecurityHeadersFilter implements Filter {
25 "font-src 'self'; " + 25 "font-src 'self'; " +
26 "connect-src 'self'; " + 26 "connect-src 'self'; " +
27 "manifest-src 'self'; " + 27 "manifest-src 'self'; " +
28 "worker-src 'self';"); 28 "worker-src 'self' blob:;");
29 httpResponse.setHeader("X-Content-Type-Options", "nosniff"); 29 httpResponse.setHeader("X-Content-Type-Options", "nosniff");
30 httpResponse.setHeader("X-Frame-Options", "DENY"); 30 httpResponse.setHeader("X-Frame-Options", "DENY");
31 httpResponse.setHeader("Referrer-Policy", "strict-origin"); 31 httpResponse.setHeader("Referrer-Policy", "strict-origin");