Merge remote-tracking branch 'upstream/master' into curl-smtp

author: shtrophic 2025-02-17 20:54:36 +0100
committer: shtrophic 2025-02-17 20:54:36 +0100
commit: 7eb2556f26baf8ff79fcb7388712d8b714efc4f6 (patch)
tree: 0d11017b6431c514bd6afd16138a06851cd2f09e /httpd.c
parent: Merge tag '2.72' into curl-smtp (diff)
parent: Merge pull request 'doc/snac8: elaborate regex blocking' (#305) from Menelmac... (diff)
download: snac2-7eb2556f26baf8ff79fcb7388712d8b714efc4f6.tar.gz
snac2-7eb2556f26baf8ff79fcb7388712d8b714efc4f6.tar.xz
snac2-7eb2556f26baf8ff79fcb7388712d8b714efc4f6.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/httpd.c b/httpd.c
index 5a38aff..22a148d 100644
--- a/httpd.c
+++ b/httpd.c
@@ -211,6 +211,8 @@ int server_get_handler(xs_dict *req, const char *q_path,
 {
    int status = 0;
+    const snac *user = NULL;
    /* is it the server root? */
    if (*q_path == '\0' || strcmp(q_path, "/") == 0) {
        const xs_dict *q_vars = xs_dict_get(req, "q_vars");
@@ -553,6 +555,9 @@ void httpd_connection(FILE *f)
    headers = xs_dict_append(headers, "access-control-allow-origin", "*");
    headers = xs_dict_append(headers, "access-control-allow-headers", "*");
+    /* disable any form of fucking JavaScript */
+    headers = xs_dict_append(headers, "Content-Security-Policy", "script-src ;");
    if (p_state->use_fcgi)
        xs_fcgi_response(f, status, headers, body, b_size, fcgi_id);
    else
author	shtrophic	2025-02-17 20:54:36 +0100
committer	shtrophic	2025-02-17 20:54:36 +0100
commit	7eb2556f26baf8ff79fcb7388712d8b714efc4f6 (patch)
tree	0d11017b6431c514bd6afd16138a06851cd2f09e /httpd.c
parent	Merge tag '2.72' into curl-smtp (diff)
parent	Merge pull request 'doc/snac8: elaborate regex blocking' (#305) from Menelmac... (diff)
download	snac2-7eb2556f26baf8ff79fcb7388712d8b714efc4f6.tar.gz snac2-7eb2556f26baf8ff79fcb7388712d8b714efc4f6.tar.xz snac2-7eb2556f26baf8ff79fcb7388712d8b714efc4f6.zip