From 77ad09dc6273d19420f099f8208ab7b525483cbb Mon Sep 17 00:00:00 2001
From: Johan Sydseter <johan.sydseter@admincontrol.com>
Date: Sat, 25 Jan 2025 10:20:46 +0100
Subject: [PATCH] remove self from script-src

---
 cornucopia.owasp.org/script/headers.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cornucopia.owasp.org/script/headers.js b/cornucopia.owasp.org/script/headers.js
index 84b720c41..64ec993af 100644
--- a/cornucopia.owasp.org/script/headers.js
+++ b/cornucopia.owasp.org/script/headers.js
@@ -27,12 +27,12 @@ function main() {
   Referrer-Policy: same-origin
   Permissions-Policy: accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(self "https://www.youtube.com/"), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()
   Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
-  content-security-policy: base-uri 'self'; default-src 'none'; connect-src 'self'; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; img-src 'self'
+  content-security-policy: base-uri 'self'; default-src 'none'; connect-src 'self'; script-src 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'; img-src 'self'
 
 /how-to-play
   Permissions-Policy: accelerometer=(), autoplay=(), camera=(), document-domain=(), encrypted-media=(), fullscreen=(self "https://www.youtube.com/"), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), geolocation=()
   ! Content-Security-Policy
-  content-security-policy: base-uri 'self'; default-src 'none'; frame-src 'self' https://www.youtube.com/; connect-src 'self'; img-src 'self' https://i.ytimg.com/vi/XXTPXozIHow/mqdefault.jpg; script-src 'self' 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'
+  content-security-policy: base-uri 'self'; default-src 'none'; frame-src 'self' https://www.youtube.com/; connect-src 'self'; img-src 'self' https://i.ytimg.com/vi/XXTPXozIHow/mqdefault.jpg; script-src 'nonce-DhcnhD3khTMePgXw'; style-src 'self'; style-src-elem 'self'
 `;
 
   const headersFile = path.join(buildDir, '_headers');