diff options
| author | Vika <vika@fireburn.ru> | 2025-04-06 23:05:06 +0300 |
|---|---|---|
| committer | Vika <vika@fireburn.ru> | 2025-04-09 23:31:57 +0300 |
| commit | 40694873befb6159448c7e48bb02cc8c4f2e030b (patch) | |
| tree | ba9529d298be5f021822723f1a8ae5207b10babe | |
| parent | 8c8a63091e68dbfe11bb23b75eea598bafc12966 (diff) | |
| download | kittybox-40694873befb6159448c7e48bb02cc8c4f2e030b.tar.zst | |
Generate CSP using `concat!()`
This makes it more readable. Change-Id: Iefbdef1029c9759fe68ebc8fa61002e827e7d728
| -rw-r--r-- | src/lib.rs | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/src/lib.rs b/src/lib.rs index 6d8e784..e2fac56 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -311,7 +311,16 @@ St: Clone + Send + Sync + 'static .layer(tower_http::set_header::SetResponseHeaderLayer::appending( axum::http::header::CONTENT_SECURITY_POLICY, axum::http::HeaderValue::from_static( - "default-src 'self'; img-src https:; script-src 'self'; style-src 'self'; base-uri 'none'; object-src 'none'" + concat!( + "default-src 'none';", // Do not allow unknown things we didn't foresee. + "img-src https:;", // Allow hotlinking images from anywhere. + "form-action 'self';", // Only allow sending forms back to us. + "media-src 'self';", // Only allow embedding media from us. + "script-src 'self';", // Only run scripts we serve. + "style-src 'self';", // Only use styles we serve. + "base-uri 'none';", // Do not allow to change the base URI. + "object-src 'none';", // Do not allow to embed objects (Flash/ActiveX). + ) ) )) } |