From 2ed25cc843b88dc2e0d14099221fe16d6daf52fd Mon Sep 17 00:00:00 2001
From: Darren Nathanael <github@darrennathanael.com>
Date: Fri, 17 Nov 2023 10:00:00 -0600
Subject: [PATCH] CSP - Upstream Patch (#239)

* Remove 32bit

Docker does not support 32bit anymore.

* Fix CSP mistake from 6 years ago.

https://content-security-policy.com/unsafe-inline/

* CSP Vun oversight fix
---
 .github/workflows/docker.yml | 2 +-
 dpaste/settings/base.py      | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index cb32de6..a804cdb 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -59,6 +59,6 @@ jobs:
           builder: ${{ steps.buildx.outputs.name }}
           context: .
           file: ./Dockerfile
-          platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/i386
+          platforms: linux/amd64,linux/arm64,linux/ppc64le
           push: true
           tags: ${{ steps.prep.outputs.tags }}
diff --git a/dpaste/settings/base.py b/dpaste/settings/base.py
index 3b61056..13a5019 100644
--- a/dpaste/settings/base.py
+++ b/dpaste/settings/base.py
@@ -116,8 +116,9 @@ SECURE_BROWSER_XSS_FILTER = True
 SECURE_CONTENT_TYPE_NOSNIFF = True
 
 CSP_DEFAULT_SRC = ("'none'",)
-CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")
-CSP_STYLE_SRC = ("'self'", "'unsafe-inline'")
+# If you edit the CSS/JS update your 256 HASH here.
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-hashes'", "'sha256-634c702966ae36dcd81fe7a4c4756413be3b77af4f4a820651faecd1db1ab26a'",)
+CSP_STYLE_SRC = ("'self'", "'unsafe-hashes'", "'sha256-7ac9cd7ab2811dac84cdc031d0acf0f355a2ab619f633b857f6db5b4c2b45361'")
 
 LOGGING = {
     "version": 1,