Set a minimal CSP

 - Styles and scripts can now only be loaded from Kittybox
   (hint: use the media endpoint if you wish to upload custom CSS)
 - Inline scripts are now completely prohibited
   (this means it's safe to show arbitrary HTML from Webmentions)
 - `<base>` element is prohibited (who uses that anyway?)
 - Loading anything else is only allowed via HTTPS

Change-Id: I285a18b71dd9860416b18dd0e88f8fe7c8511e0b

2 files changed, 7 insertions, 2 deletions

diff --git a/Cargo.toml b/Cargo.toml
index 20d0f89..bf14ded 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -87,7 +87,6 @@ tokio = "1.42.0"
 tokio-stream = "0.1.17"
 tokio-util = "0.7.13"
 tower = "0.5.2"
-tower-http = "0.6.2"
 tower-layer = "0.3.3"
 tower-service = "0.3.3"
 tower-test = "0.4.0"
@@ -160,7 +159,7 @@ tokio = { workspace = true, features = ["full", "tracing"] }
 tokio-stream = { workspace = true, features = ["time", "net"] }
 tokio-util = { workspace = true, features = ["io-util"] }
 tower = { workspace = true, features = ["tracing"] }
-tower-http = { workspace = true, features = ["trace", "cors", "catch-panic", "sensitive-headers"] }
+tower-http = { version = "0.6.2", features = ["trace", "cors", "catch-panic", "sensitive-headers", "set-header"] }
 tracing = { workspace = true, features = [] }
 tracing-log = { workspace = true }
 tracing-subscriber = { workspace = true, features = ["env-filter", "json"] }
diff --git a/src/lib.rs b/src/lib.rs
index e6bc24c..177dac4 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -308,4 +308,10 @@ St: Clone + Send + Sync + 'static
             axum::http::header::COOKIE,
             axum::http::header::SET_COOKIE,
         ]))
+        .layer(tower_http::set_header::SetResponseHeaderLayer::appending(
+            axum::http::header::CONTENT_SECURITY_POLICY,
+            axum::http::HeaderValue::from_static(
+                "default-src 'https:'; script-src 'self'; style-src 'self'; script-src-attr 'none'; base-uri 'none'"
+            )
+        ))
 }