From bfffdd4d912eb012f947a81ff4c51489015fa2df Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Sat, 26 Jun 2021 04:13:28 -0700
Subject: [PATCH] aurweb.asgi: Allow unsafe-inline style-src in CSP

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 aurweb/asgi.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/aurweb/asgi.py b/aurweb/asgi.py
index 35166c73..26893232 100644
--- a/aurweb/asgi.py
+++ b/aurweb/asgi.py
@@ -88,6 +88,8 @@ async def add_security_headers(request: Request, call_next: typing.Callable):
         "cdn.jsdelivr.net"
     ]
     csp += f"script-src 'self' 'nonce-{nonce}' " + ' '.join(script_hosts)
+    # It's fine if css is inlined.
+    csp += f"; style-src 'self' 'unsafe-inline'"
     response.headers["Content-Security-Policy"] = csp
 
     # Add XTCO header.