oops

Author: sorah

config/nginx.conf.erb

@@ -214,7 +214,7 @@ http {
     set $csp_policy "";
     set $csp_policy_report "";
     if ($http_x_forwarded_proto = "https") {
-      set $csp_policy "upgrade-insecure-requests; frame-ancestors 'none'; script-src 'unsafe-inline'; script-src 'unsafe-eval'; style-src 'unsafe-inline'; default-src https:";
+      set $csp_policy "upgrade-insecure-requests; frame-ancestors 'none'; script-src 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline'; default-src https:";
       set $csp_policy_report "default-src https:; script-src 'unsafe-inline'; report-uri https://<%= primary_host %>/_csp";
     }
     add_header X-Content-Type-Options "nosniff";
@@ -503,7 +503,7 @@ http {
     set $csp_policy "";
     set $csp_policy_report "";
     if ($http_x_forwarded_proto = "https") {
-      set $csp_policy "frame-ancestors 'none'; script-src 'unsafe-inline'; script-src 'unsafe-eval'; style-src 'unsafe-inline'; default-src https:";
+      set $csp_policy "frame-ancestors 'none'; script-src 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline'; default-src https:";
       set $csp_policy_report "default-src https:; script-src 'unsafe-inline'; report-uri https://<%= primary_host %>/_csp";
     }
     add_header X-Content-Type-Options "nosniff";
@@ -517,7 +517,7 @@ http {
         proxy_hide_header Cache-Control;
         proxy_hide_header Expires;
         # 2015 sites and prior had mixed content issues
-        set $csp_policy "upgrade-insecure-requests; frame-ancestors 'none'; script-src 'unsafe-inline'; script-src 'unsafe-eval'; style-src 'unsafe-inline'; default-src https:";
+        set $csp_policy "upgrade-insecure-requests; frame-ancestors 'none'; script-src 'unsafe-inline' 'unsafe-eval'; style-src 'unsafe-inline'; default-src https:";
         add_header Cache-Control "public, max-age=604800, s-maxage=31536000";
         proxy_pass https://2009-2011.rubykaigi.org;
     }