Improve CSP and security headers (closes #74)

2025-12-14 04:05:14 +00:00 · 2022-11-18 12:08:18 -05:00
parent 10289cde51
commit 5c2962d34d
5 changed files with 6 additions and 6 deletions
--- a/pages/embed.go
+++ b/pages/embed.go
@@ -11,7 +11,7 @@ import (
 func HandleEmbed(c *fiber.Ctx) error {
 	utils.SetHeaders(c)
 	c.Set("Cache-Control", "public,max-age=31557600")
-	c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
+	c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content")

 	post, err := api.Album{}, error(nil)
 	switch {
@@ -40,7 +40,7 @@ func HandleEmbed(c *fiber.Ctx) error {
 func HandleGifv(c *fiber.Ctx) error {
 	utils.SetHeaders(c)
 	c.Set("Cache-Control", "public,max-age=31557600")
-	c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content")
+	c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content")

 	return c.Render("gifv", fiber.Map{
 		"id": c.Params("postID"),