From 292b2fd1224a40fd3fa5bc33248a7b11316abc22 Mon Sep 17 00:00:00 2001
From: default
Date: Thu, 13 Feb 2025 19:44:21 +0100
Subject: Force the Content-Security-Policy header, instead of just suggesting
 it in the docs.

---
 httpd.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'httpd.c')

diff --git a/httpd.c b/httpd.c
index 5a38aff..d22bb14 100644
--- a/httpd.c
+++ b/httpd.c
@@ -553,6 +553,9 @@ void httpd_connection(FILE *f)
     headers = xs_dict_append(headers, "access-control-allow-origin", "*");
     headers = xs_dict_append(headers, "access-control-allow-headers", "*");
 
+    /* disable any form of fucking JavaScript */
+    headers = xs_dict_append(headers, "Content-Security-Policy", "script-src ;");
+
     if (p_state->use_fcgi)
         xs_fcgi_response(f, status, headers, body, b_size, fcgi_id);
     else
-- 
cgit v1.2.3


From 02bc18eb118fcd93f5cd90a056f7b78dfe64382f Mon Sep 17 00:00:00 2001
From: default
Date: Fri, 14 Feb 2025 10:04:46 +0100
Subject: Redefined L() to use lang_str().

---
 httpd.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'httpd.c')

diff --git a/httpd.c b/httpd.c
index d22bb14..22a148d 100644
--- a/httpd.c
+++ b/httpd.c
@@ -211,6 +211,8 @@ int server_get_handler(xs_dict *req, const char *q_path,
 {
     int status = 0;
 
+    const snac *user = NULL;
+
     /* is it the server root? */
     if (*q_path == '\0' || strcmp(q_path, "/") == 0) {
         const xs_dict *q_vars = xs_dict_get(req, "q_vars");
-- 
cgit v1.2.3