diff --git a/pages/embed.go b/pages/embed.go index 456a725..ea7e122 100644 --- a/pages/embed.go +++ b/pages/embed.go @@ -11,7 +11,7 @@ import ( func HandleEmbed(c *fiber.Ctx) error { utils.SetHeaders(c) c.Set("Cache-Control", "public,max-age=31557600") - c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content") + c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content") post, err := api.Album{}, error(nil) switch { @@ -40,7 +40,7 @@ func HandleEmbed(c *fiber.Ctx) error { func HandleGifv(c *fiber.Ctx) error { utils.SetHeaders(c) c.Set("Cache-Control", "public,max-age=31557600") - c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; block-all-mixed-content") + c.Set("Content-Security-Policy", "default-src 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'self'; img-src 'self'; block-all-mixed-content") return c.Render("gifv", fiber.Map{ "id": c.Params("postID"), diff --git a/pages/frontpage.go b/pages/frontpage.go index 9321fd6..4bd400a 100644 --- a/pages/frontpage.go +++ b/pages/frontpage.go @@ -11,7 +11,7 @@ func HandleFrontpage(c *fiber.Ctx) error { utils.SetHeaders(c) c.Set("X-Frame-Options", "DENY") c.Set("Cache-Control", "public,max-age=31557600") - c.Set("Content-Security-Policy", "default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content") + c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; style-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content") return c.Render("frontpage", fiber.Map{ "proto": c.Protocol(), diff --git a/pages/post.go b/pages/post.go index 85d744e..8a5f41a 100644 --- a/pages/post.go +++ b/pages/post.go @@ -45,7 +45,7 @@ func HandlePost(c *fiber.Ctx) error { } nonce := "" - csp := "default-src 'none'; media-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content; style-src 'self'" + csp := "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content; style-src 'self'" if len(post.Tags) != 0 { b := make([]byte, 8) rand.Read(b) diff --git a/pages/tag.go b/pages/tag.go index 705d03a..093ffa3 100644 --- a/pages/tag.go +++ b/pages/tag.go @@ -12,7 +12,7 @@ func HandleTag(c *fiber.Ctx) error { utils.SetHeaders(c) c.Set("X-Frame-Options", "DENY") c.Set("Cache-Control", "public,max-age=604800") - c.Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline' 'self'; media-src 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content") + c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; style-src 'unsafe-inline' 'self'; media-src 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content") page := "1" if c.Query("page") != "" { diff --git a/pages/user.go b/pages/user.go index 904dc34..9a990b4 100644 --- a/pages/user.go +++ b/pages/user.go @@ -12,7 +12,7 @@ func HandleUser(c *fiber.Ctx) error { utils.SetHeaders(c) c.Set("X-Frame-Options", "DENY") c.Set("Cache-Control", "public,max-age=604800") - c.Set("Content-Security-Policy", "default-src 'none'; media-src 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; font-src 'self'; manifest-src 'self'; block-all-mixed-content") + c.Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; base-uri 'none'; form-action 'none'; media-src 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; manifest-src 'self'; block-all-mixed-content") page := "0" if c.Query("page") != "" {