Add embedded Content-Security-Policy
Add a baseline CSP applicable to all gamja deployments. Resources can only be loaded from the current host, frames and objects are disallowed, and scripts are allowed to connect to any host (to allow cross-site WebSocket connections). If the server returns a different CSP via an HTTP header, the effective CSP will be the intersection.
This commit is contained in:
Simon Ser
@@ -2,6 +2,7 @@
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'none'; object-src 'none'; connect-src *;">
|
||||
<title>gamja IRC client</title>
|
||||
<link rel="stylesheet" href="./style.css">
|
||||
<script type="module" src="./main.js"></script>
|
||||
|
||||
Reference in New Issue
Block a user