make CSP stricter by setting default-src to 'self'

Embedding remote files can leak info via the Referer header. Also changes child-src to frame-src since it has a higher precedence. (https://www.w3.org/TR/CSP3/#changes-from-level-2)
author: Martin Fischer <martin@push-f.com> 2021-06-24 19:47:55 +0200
committer: Martin Fischer <martin@push-f.com> 2021-06-24 20:10:46 +0200
commit: a3f04614b916dd5c2591f37decac0ba3e3ecabb5 (patch)
tree: 3d10d9da2191aacdd1eb70a61c2d33c5d918b2f4 /src/main.rs
parent: 26298bcd7ef204db4396ca2d0e603fc183220cd2 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/main.rs b/src/main.rs
index 7313a6d..cdb5650 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -257,7 +257,7 @@ async fn service<C: Controller>(
     resp.headers_mut().insert(
         header::CONTENT_SECURITY_POLICY,
         format!(
-            "child-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'",
+            "default-src 'self'; frame-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'",
             include_str!("static/edit_script.js.sha256"),
             include_str!("static/style.css.sha256"),
         )
author	Martin Fischer <martin@push-f.com>	2021-06-24 19:47:55 +0200
committer	Martin Fischer <martin@push-f.com>	2021-06-24 20:10:46 +0200
commit	a3f04614b916dd5c2591f37decac0ba3e3ecabb5 (patch)
tree	3d10d9da2191aacdd1eb70a61c2d33c5d918b2f4 /src/main.rs
parent	26298bcd7ef204db4396ca2d0e603fc183220cd2 (diff)