Add `connect-src 'self';` to CSP
HEAD mainwhy is this a thing... should've just put `default-src 'self'` to get
behavior similar to what was in the past
Change-Id: I0d3850931fe97f87a1aa10223502791a78cbe7fc
2 files changed, 4 insertions, 1 deletions
diff --git a/src/indieauth/mod.rs b/src/indieauth/mod.rs
index 2e8a44b..5cdbf05 100644
--- a/src/indieauth/mod.rs
+++ b/src/indieauth/mod.rs
@@ -218,7 +218,9 @@ async fn authorization_endpoint_get<A: AuthBackend, D: Storage + 'static>(
)
.into_response();
}
-
+ // Should we attempt to create synthetic metadata from an h-card?
+ //
+ // This would increase compatibility with personal websites.
if let Some(app) = mf2
.items
.iter()
diff --git a/src/lib.rs b/src/lib.rs
index b12bdfc..cf81dc9 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -384,6 +384,7 @@ where
"style-src 'self';", // Only use styles we serve.
"base-uri 'none';", // Do not allow to change the base URI.
"object-src 'none';", // Do not allow to embed objects (Flash/ActiveX).
+ "connect-src 'self';", // Allow sending data back to us. (WHY IS THIS A THING OMG)
// Allow embedding the Bandcamp player for jam posts.
// TODO: perhaps make this policy customizable?…
"frame-src 'self' https://bandcamp.com/EmbeddedPlayer/;"
|
