csp: remove unusual directives, slight security improvement

Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-11-30 22:43:10 +00:00 · 2024-06-03 18:07:39 -04:00 · 2024-06-03 18:07:39 -04:00 · c9fbbdce1c
parent 732e8b82aa
commit c9fbbdce1c
1 changed files with 6 additions and 5 deletions
--- a/src/router/layers.rs
+++ b/src/router/layers.rs
@ -21,6 +21,10 @@ use tracing::Level;
 use crate::{request, router};
 const CONDUWUIT_CSP: &str =
 	"sandbox; default-src 'none'; font-src 'none'; script-src 'none'; frame-ancestors 'none'; base-uri 'none';";
 const CONDUWUIT_PERMISSIONS_POLICY: &str = "interest-cohort=(),browsing-topics=()";
 pub(crate) fn build(server: &Arc<Server>) -> io::Result<axum::routing::IntoMakeService<Router>> {
 	let layers = ServiceBuilder::new();
@ -60,14 +64,11 @@ pub(crate) fn build(server: &Arc<Server>) -> io::Result<axum::routing::IntoMakeS
 		))
 		.layer(SetResponseHeaderLayer::if_not_present(
 			HeaderName::from_static("permissions-policy"),
-			HeaderValue::from_static("interest-cohort=(),browsing-topics=()"),
+			HeaderValue::from_static(CONDUWUIT_PERMISSIONS_POLICY),
 		))
 		.layer(SetResponseHeaderLayer::if_not_present(
 			header::CONTENT_SECURITY_POLICY,
-			HeaderValue::from_static(
+			HeaderValue::from_static(CONDUWUIT_CSP),
 				"sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; \
 				 style-src 'unsafe-inline'; object-src 'self'; frame-ancestors 'none'; base-uri 'none';",
 			),
 		))
 		.layer(cors_layer(server))
 		.layer(body_limit_layer(server))