csp: remove unusual directives, slight security improvement

Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
strawberry 2024-06-03 18:07:39 -04:00
parent 732e8b82aa
commit c9fbbdce1c

View file

@ -21,6 +21,10 @@ use tracing::Level;
use crate::{request, router}; use crate::{request, router};
const CONDUWUIT_CSP: &str =
"sandbox; default-src 'none'; font-src 'none'; script-src 'none'; frame-ancestors 'none'; base-uri 'none';";
const CONDUWUIT_PERMISSIONS_POLICY: &str = "interest-cohort=(),browsing-topics=()";
pub(crate) fn build(server: &Arc<Server>) -> io::Result<axum::routing::IntoMakeService<Router>> { pub(crate) fn build(server: &Arc<Server>) -> io::Result<axum::routing::IntoMakeService<Router>> {
let layers = ServiceBuilder::new(); let layers = ServiceBuilder::new();
@ -60,14 +64,11 @@ pub(crate) fn build(server: &Arc<Server>) -> io::Result<axum::routing::IntoMakeS
)) ))
.layer(SetResponseHeaderLayer::if_not_present( .layer(SetResponseHeaderLayer::if_not_present(
HeaderName::from_static("permissions-policy"), HeaderName::from_static("permissions-policy"),
HeaderValue::from_static("interest-cohort=(),browsing-topics=()"), HeaderValue::from_static(CONDUWUIT_PERMISSIONS_POLICY),
)) ))
.layer(SetResponseHeaderLayer::if_not_present( .layer(SetResponseHeaderLayer::if_not_present(
header::CONTENT_SECURITY_POLICY, header::CONTENT_SECURITY_POLICY,
HeaderValue::from_static( HeaderValue::from_static(CONDUWUIT_CSP),
"sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; \
style-src 'unsafe-inline'; object-src 'self'; frame-ancestors 'none'; base-uri 'none';",
),
)) ))
.layer(cors_layer(server)) .layer(cors_layer(server))
.layer(body_limit_layer(server)) .layer(body_limit_layer(server))