diff --git a/webcompat/views.py b/webcompat/views.py index 1a06a61ab..6e49d262b 100644 --- a/webcompat/views.py +++ b/webcompat/views.py @@ -57,6 +57,15 @@ def after_request(response): response.headers['X-Content-Type-Options'] = 'nosniff' response.headers['X-XSS-Protection'] = '1; mode=block' response.headers['X-Frame-Options'] = 'DENY' + response.headers['Content-Security-Policy-Report-Only'] = ( + "default-src 'none'; " + + "connect-src 'self'; " + + "font-src 'self'; " + + "img-src 'self'; " + + "script-src 'self' https://www.google-analytics.com; " + + "style-src 'self'; " + + "report-uri /csp-report" + ) return response