don't set csp header on /api routes

2024-09-19 15:01:59 +00:00 · 2024-03-16 06:10:58 -04:00 · 2024-03-16 06:10:58 -04:00 · ea0658e2ea
parent 5c210dc20f
commit ea0658e2ea
1 changed files with 1 additions and 1 deletions
--- a/relay/application.py
+++ b/relay/application.py
@ -333,7 +333,7 @@ async def handle_response_headers(request: web.Request, handler: Callable) -> Re
 	resp.headers['Server'] = 'ActivityRelay'

 	# Still have to figure out how csp headers work
-	if resp.content_type == 'text/html':
+	if resp.content_type == 'text/html' and not request.path.startswith("/api"):
 		resp.headers['Content-Security-Policy'] = get_csp(request)

 	if not request.app['dev'] and request.path.endswith(('.css', '.js')):