From 40694873befb6159448c7e48bb02cc8c4f2e030b Mon Sep 17 00:00:00 2001
From: Vika <vika@fireburn.ru>
Date: Sun, 6 Apr 2025 23:05:06 +0300
Subject: Generate CSP using `concat!()`

This makes it more readable.

Change-Id: Iefbdef1029c9759fe68ebc8fa61002e827e7d728
---
 src/lib.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'src/lib.rs')

diff --git a/src/lib.rs b/src/lib.rs
index 6d8e784..e2fac56 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -311,7 +311,16 @@ St: Clone + Send + Sync + 'static
         .layer(tower_http::set_header::SetResponseHeaderLayer::appending(
             axum::http::header::CONTENT_SECURITY_POLICY,
             axum::http::HeaderValue::from_static(
-                "default-src 'self'; img-src https:; script-src 'self'; style-src 'self'; base-uri 'none'; object-src 'none'"
+                concat!(
+                    "default-src 'none';", // Do not allow unknown things we didn't foresee.
+                    "img-src https:;",     // Allow hotlinking images from anywhere.
+                    "form-action 'self';", // Only allow sending forms back to us.
+                    "media-src 'self';",   // Only allow embedding media from us.
+                    "script-src 'self';",  // Only run scripts we serve.
+                    "style-src 'self';",   // Only use styles we serve.
+                    "base-uri 'none';",    // Do not allow to change the base URI.
+                    "object-src 'none';",  // Do not allow to embed objects (Flash/ActiveX).
+                )
             )
         ))
 }
-- 
cgit 1.4.1