Harden the CSP a bit for values that don't inherit default-src. Set Permissions-Policy. Remove TODO

main
Miguel Jacq 2022-08-30 13:39:10 +10:00 committed by Thomas Sileo
parent 05f840ecc8
commit db8f0cb141
1 changed files with 4 additions and 3 deletions

View File

@ -132,11 +132,12 @@ class CustomMiddleware:
] = "no-referrer, strict-origin-when-cross-origin" ] = "no-referrer, strict-origin-when-cross-origin"
headers["x-content-type-options"] = "nosniff" headers["x-content-type-options"] = "nosniff"
headers["x-xss-protection"] = "1; mode=block" headers["x-xss-protection"] = "1; mode=block"
headers["x-frame-options"] = "SAMEORIGIN" headers["x-frame-options"] = "DENY"
# TODO(ts): disallow inline CSS? headers["permissions-policy"] = "interest-cohort=()"
headers["content-security-policy"] = ( headers["content-security-policy"] = (
f"default-src 'self'; " f"default-src 'self'; "
f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}';" f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
) )
if not DEBUG: if not DEBUG:
headers["strict-transport-security"] = "max-age=63072000;" headers["strict-transport-security"] = "max-age=63072000;"