From b699796236d8561e937992b415e0e7654f60ec78 Mon Sep 17 00:00:00 2001
From: Ozzie Isaacs <ozzie.fernandez.isaacs@googlemail.com>
Date: Sun, 3 Oct 2021 08:03:14 +0200
Subject: [PATCH] Improved CSRF protection

---
 cps/web.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/cps/web.py b/cps/web.py
index 917ce8c8..3681c38c 100644
--- a/cps/web.py
+++ b/cps/web.py
@@ -84,7 +84,9 @@ except ImportError:
 
 @app.after_request
 def add_security_headers(resp):
-    resp.headers['Content-Security-Policy']= "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:"
+    resp.headers['Content-Security-Policy'] = "default-src 'self' 'unsafe-inline' 'unsafe-eval';"
+    if request.endpoint == "editbook.edit_book":
+        resp.headers['Content-Security-Policy'] += "img-src * data:"
     resp.headers['X-Content-Type-Options'] = 'nosniff'
     resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
     resp.headers['X-XSS-Protection'] = '1; mode=block'