From 292b2fd1224a40fd3fa5bc33248a7b11316abc22 Mon Sep 17 00:00:00 2001
From: default
Date: Thu, 13 Feb 2025 19:44:21 +0100
Subject: Force the Content-Security-Policy header, instead of just suggesting
 it in the docs.

---
 doc/snac.8 | 4 +---
 httpd.c    | 3 +++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/snac.8 b/doc/snac.8
index c0a110c..7a7352c 100644
--- a/doc/snac.8
+++ b/doc/snac.8
@@ -198,9 +198,7 @@ By setting this to true, no inbox collection is done. Inbox collection helps
 being discovered from remote instances, but also increases network traffic.
 .It Ic http_headers
 If you need to add more HTTP response headers for whatever reason, you can
-fill this object with the required header/value pairs. For example, for enhanced
-XSS security, you can set the "Content-Security-Policy" header to "script-src ;"
-to be totally sure that no JavaScript is executed.
+fill this object with the required header/value pairs.
 .It Ic show_instance_timeline
 If this is set to true, the instance base URL will show a timeline with the latest
 user posts instead of the default greeting static page. If other information
diff --git a/httpd.c b/httpd.c
index 5a38aff..d22bb14 100644
--- a/httpd.c
+++ b/httpd.c
@@ -553,6 +553,9 @@ void httpd_connection(FILE *f)
     headers = xs_dict_append(headers, "access-control-allow-origin", "*");
     headers = xs_dict_append(headers, "access-control-allow-headers", "*");
 
+    /* disable any form of fucking JavaScript */
+    headers = xs_dict_append(headers, "Content-Security-Policy", "script-src ;");
+
     if (p_state->use_fcgi)
         xs_fcgi_response(f, status, headers, body, b_size, fcgi_id);
     else
-- 
cgit v1.2.3