From 292b2fd1224a40fd3fa5bc33248a7b11316abc22 Mon Sep 17 00:00:00 2001
From: default
Date: Thu, 13 Feb 2025 19:44:21 +0100
Subject: Force the Content-Security-Policy header, instead of just suggesting
 it in the docs.

---
 httpd.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'httpd.c')

diff --git a/httpd.c b/httpd.c
index 5a38aff..d22bb14 100644
--- a/httpd.c
+++ b/httpd.c
@@ -553,6 +553,9 @@ void httpd_connection(FILE *f)
     headers = xs_dict_append(headers, "access-control-allow-origin", "*");
     headers = xs_dict_append(headers, "access-control-allow-headers", "*");
 
+    /* disable any form of fucking JavaScript */
+    headers = xs_dict_append(headers, "Content-Security-Policy", "script-src ;");
+
     if (p_state->use_fcgi)
         xs_fcgi_response(f, status, headers, body, b_size, fcgi_id);
     else
-- 
cgit v1.2.3