I am trying to implement CSP using flask-talisman (new to that). I managed to load external cdns but I can't use my own scripts located in /static/js/[folders]/[subfolders]/file.js ex. in template html:
<script src="{{ url_for('static', filename='js/leaflet_handlers/realtor_overlays.js') }}"></script>
<script nonce="{{ csp_nonce() }}">
functionIn_realtor_overlays();
</script>
then at the functionIn_realtor_overlays() level, I get error: ip/...static/js/.../realtor_overlays.js " was blocked due to MIME type (“text/plain”) mismatch (X-Content-Type-Options: nosniff)"
my csp dict is:
tal_csp = {
'default-src': ['\'self\'',
'https://unpkg.com', 'https://googletagmanager.com',
'https://www.googletagmanager.com', 'https://code.jquery.com',
'https://cdn.jsdelivr.net', 'https://cdnjs.cloudflare.com'
],
'script-src': ['\'self\'',
'https://unpkg.com', 'https://www.googletagmanager.com', 'https://code.jquery.com',
'https://cdn.jsdelivr.net', 'https://cdnjs.cloudflare.com',
],
}
which I call at the app level liek this:
Talisman(app,
content_security_policy=tal_csp,
content_security_policy_nonce_in=['script-src']
)
it seems that I may need to include a new key ('X-Content-Type-Options') in my tal_csp dict but I am not sure how and didn't find an example so far. Any help would be greatly aprecaited thank you
NB: I currently run the app on Windows debug and then the prod will be on Ubuntu server, using difefrent ip/url/port to the static folder
