From 683b701655f57b13c869e998a0d81ce015b42d23 Mon Sep 17 00:00:00 2001 From: Peter Foster Date: Sun, 22 Mar 2026 19:26:22 +0000 Subject: [PATCH] fix: add unsafe-inline back to style-src CSP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit style-src without unsafe-inline blocks all inline style= attributes, breaking logo sizing, section layouts, and any element with inline CSS. script-src retains nonces for actual XSS protection — style-src unsafe-inline is safe and necessary for the sites inline styling patterns. --- index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.php b/index.php index 8a36ee1..4eb9805 100644 --- a/index.php +++ b/index.php @@ -13,7 +13,7 @@ if (!isset($_SESSION['csrf_token'])) { $_SESSION['csrf_token'] = bin2hex(random_bytes(32)); } header('Strict-Transport-Security: max-age=31536000; includeSubDomains'); -header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}' https://cdnjs.cloudflare.com https://www.googletagmanager.com https://www.google-analytics.com https://www.clarity.ms https://www.google.com https://www.gstatic.com; style-src 'self' 'nonce-{$nonce}' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://region1.google-analytics.com https://www.google.com; frame-src https://www.google.com;"); +header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}' https://cdnjs.cloudflare.com https://www.googletagmanager.com https://www.google-analytics.com https://www.clarity.ms https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com https://region1.google-analytics.com https://www.google.com; frame-src https://www.google.com;"); // SEO and performance optimizations $page_title = "AI Automation for Legal Firms UK | Cut Research Time 80%";