summaryrefslogtreecommitdiff
path: root/httpd.c
diff options
context:
space:
mode:
authorGravatar default2025-02-13 19:44:21 +0100
committerGravatar default2025-02-13 19:44:21 +0100
commit292b2fd1224a40fd3fa5bc33248a7b11316abc22 (patch)
tree98eed1cf462048ee337e27cdc6652b02e1dadc50 /httpd.c
parentDrop SVG attachments, as they may include JavaScript. (diff)
downloadsnac2-292b2fd1224a40fd3fa5bc33248a7b11316abc22.tar.gz
snac2-292b2fd1224a40fd3fa5bc33248a7b11316abc22.tar.xz
snac2-292b2fd1224a40fd3fa5bc33248a7b11316abc22.zip
Force the Content-Security-Policy header, instead of just suggesting it in the docs.
Diffstat (limited to 'httpd.c')
-rw-r--r--httpd.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/httpd.c b/httpd.c
index 5a38aff..d22bb14 100644
--- a/httpd.c
+++ b/httpd.c
@@ -553,6 +553,9 @@ void httpd_connection(FILE *f)
553 headers = xs_dict_append(headers, "access-control-allow-origin", "*"); 553 headers = xs_dict_append(headers, "access-control-allow-origin", "*");
554 headers = xs_dict_append(headers, "access-control-allow-headers", "*"); 554 headers = xs_dict_append(headers, "access-control-allow-headers", "*");
555 555
556 /* disable any form of fucking JavaScript */
557 headers = xs_dict_append(headers, "Content-Security-Policy", "script-src ;");
558
556 if (p_state->use_fcgi) 559 if (p_state->use_fcgi)
557 xs_fcgi_response(f, status, headers, body, b_size, fcgi_id); 560 xs_fcgi_response(f, status, headers, body, b_size, fcgi_id);
558 else 561 else
HIC SVNT DRACONES