safeweb: allow object-src: self in CSP (#11782)

This change is safe (self is still safe, by
definition), and makes the code match the comment.

Updates #cleanup

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
This commit is contained in:
Chris Palmer 2024-04-18 10:39:11 -07:00 committed by GitHub
parent e775de3c63
commit bdfaef4879
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -89,7 +89,7 @@
`form-action 'self'`, // disallow form submissions to other origins
`base-uri 'self'`, // disallow base URIs from other origins
`block-all-mixed-content`, // disallow mixed content when serving over HTTPS
`object-src 'none'`, // disallow embedding of resources from other origins
`object-src 'self'`, // disallow embedding of resources from other origins
}, "; ")
// Config contains the configuration for a safeweb server.