aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin Fischer <martin@push-f.com>2021-06-24 19:47:55 +0200
committerMartin Fischer <martin@push-f.com>2021-06-24 20:10:46 +0200
commita3f04614b916dd5c2591f37decac0ba3e3ecabb5 (patch)
tree3d10d9da2191aacdd1eb70a61c2d33c5d918b2f4
parent26298bcd7ef204db4396ca2d0e603fc183220cd2 (diff)
make CSP stricter by setting default-src to 'self'
Embedding remote files can leak info via the Referer header. Also changes child-src to frame-src since it has a higher precedence. (https://www.w3.org/TR/CSP3/#changes-from-level-2)
-rw-r--r--src/main.rs2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/main.rs b/src/main.rs
index 7313a6d..cdb5650 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -257,7 +257,7 @@ async fn service<C: Controller>(
resp.headers_mut().insert(
header::CONTENT_SECURITY_POLICY,
format!(
- "child-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'",
+ "default-src 'self'; frame-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'",
include_str!("static/edit_script.js.sha256"),
include_str!("static/style.css.sha256"),
)