diff options
| author | Vika <vika@fireburn.ru> | 2025-04-16 03:37:13 +0300 |
|---|---|---|
| committer | Vika <vika@fireburn.ru> | 2025-04-16 03:37:13 +0300 |
| commit | e3c845d8f563d75618e237cdf16bd4ad4a00dcb8 (patch) | |
| tree | 2c91a94fd8230f7876452b4dc6007d81fbb115fe | |
| parent | d168aa6362c812401847b84196e8d69823b4a11e (diff) | |
| download | kittybox-e3c845d8f563d75618e237cdf16bd4ad4a00dcb8.tar.zst | |
Add `connect-src 'self';` to CSP
why is this a thing... should've just put `default-src 'self'` to get behavior similar to what was in the past Change-Id: I0d3850931fe97f87a1aa10223502791a78cbe7fc
| -rw-r--r-- | src/indieauth/mod.rs | 4 | ||||
| -rw-r--r-- | src/lib.rs | 1 |
2 files changed, 4 insertions, 1 deletions
diff --git a/src/indieauth/mod.rs b/src/indieauth/mod.rs index 2e8a44b..5cdbf05 100644 --- a/src/indieauth/mod.rs +++ b/src/indieauth/mod.rs @@ -218,7 +218,9 @@ async fn authorization_endpoint_get<A: AuthBackend, D: Storage + 'static>( ) .into_response(); } - + // Should we attempt to create synthetic metadata from an h-card? + // + // This would increase compatibility with personal websites. if let Some(app) = mf2 .items .iter() diff --git a/src/lib.rs b/src/lib.rs index b12bdfc..cf81dc9 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -384,6 +384,7 @@ where "style-src 'self';", // Only use styles we serve. "base-uri 'none';", // Do not allow to change the base URI. "object-src 'none';", // Do not allow to embed objects (Flash/ActiveX). + "connect-src 'self';", // Allow sending data back to us. (WHY IS THIS A THING OMG) // Allow embedding the Bandcamp player for jam posts. // TODO: perhaps make this policy customizable?… "frame-src 'self' https://bandcamp.com/EmbeddedPlayer/;" |