Skip to content
Snippets Groups Projects
Unverified Commit 4283a49e authored by Jeremy Lin's avatar Jeremy Lin Committed by Daniel García
Browse files

Reformat CSP header for readability

parent 1e32db8c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 20 additions and 6 deletions
src/util.rs
+ 20
6
View file @ 4283a49e
...@@ -63,16 +63,30 @@ impl Fairing for AppHeaders { ...@@ -63,16 +63,30 @@ impl Fairing for AppHeaders {
// app.simplelogin.io, app.anonaddy.com, api.fastmail.com // app.simplelogin.io, app.anonaddy.com, api.fastmail.com
let csp = format!( let csp = format!(
"default-src 'self'; \ "default-src 'self'; \
object-src 'self' blob:; \
script-src 'self'{script_src}; \ script-src 'self'{script_src}; \
style-src 'self' 'unsafe-inline'; \ style-src 'self' 'unsafe-inline'; \
img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \ frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \ frame-ancestors 'self' \
object-src 'self' blob:; \ chrome-extension://nngceckbapebfimnlniiiahkandclblb \
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};", chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
icon_service_csp=CONFIG._icon_service_csp(), moz-extension://* \
allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors() {allowed_iframe_ancestors}; \
img-src 'self' data: \
https://haveibeenpwned.com/ \
https://www.gravatar.com \
{icon_service_csp}; \
connect-src 'self' \
https://api.pwnedpasswords.com/range/ \
https://2fa.directory/api/ \
https://app.simplelogin.io/api/ \
https://app.anonaddy.com/api/ \
https://api.fastmail.com/ \
;\
",
icon_service_csp = CONFIG._icon_service_csp(),
allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
); );
res.set_raw_header("Content-Security-Policy", csp); res.set_raw_header("Content-Security-Policy", csp);
res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); res.set_raw_header("X-Frame-Options", "SAMEORIGIN");
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment