diff options
| author | Martin Fischer <martin@push-f.com> | 2021-06-24 19:47:55 +0200 |
|---|---|---|
| committer | Martin Fischer <martin@push-f.com> | 2021-06-24 20:10:46 +0200 |
| commit | a3f04614b916dd5c2591f37decac0ba3e3ecabb5 (patch) | |
| tree | 3d10d9da2191aacdd1eb70a61c2d33c5d918b2f4 | |
| parent | 26298bcd7ef204db4396ca2d0e603fc183220cd2 (diff) | |
make CSP stricter by setting default-src to 'self'
Embedding remote files can leak info via the Referer header.
Also changes child-src to frame-src since it has a higher precedence.
(https://www.w3.org/TR/CSP3/#changes-from-level-2)
| -rw-r--r-- | src/main.rs | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/main.rs b/src/main.rs index 7313a6d..cdb5650 100644 --- a/src/main.rs +++ b/src/main.rs @@ -257,7 +257,7 @@ async fn service<C: Controller>( resp.headers_mut().insert( header::CONTENT_SECURITY_POLICY, format!( - "child-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'", + "default-src 'self'; frame-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'", include_str!("static/edit_script.js.sha256"), include_str!("static/style.css.sha256"), ) |