From 15048c2d1f4671717cb5a44e9699f78daa8c4c0e Mon Sep 17 00:00:00 2001
From: curben <curben@users.noreply.gitlab.com>
Date: Wed, 22 May 2019 12:39:53 +0930
Subject: [PATCH] fix: search.svg does not load in Firefox due to CSP

* Use default-src 'self' as a workaround
https://pokeinthe.io/2016/04/09/black-icons-with-svg-and-csp/
https://bugzilla.mozilla.org/show_bug.cgi?id=1303364
https://github.com/w3c/webappsec-csp/issues/199
https://github.com/w3c/webappsec-csp/issues/198

* use 'self' instead of localhost and netlify.com
* set other directives to 'none'
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
* font-src neeeds to be whitelisted before using fork-awesome
---
 netlify.toml                           | 2 +-
 themes/typing/layout/_partial/head.ejs | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/netlify.toml b/netlify.toml
index 6c631ce..cfff5c1 100644
--- a/netlify.toml
+++ b/netlify.toml
@@ -8,7 +8,7 @@
     X-Frame-Options = "DENY"
     X-XSS-Protection = "1; mode=block"
     X-Content-Type-Options = "nosniff"
-    Content-Security-Policy = "default-src https: localhost:4000; script-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; style-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; frame-ancestors 'none'; block-all-mixed-content;"
+    Content-Security-Policy = "default-src 'self'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src https: 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src https://cdnjs.cloudflare.com 'self'; style-src https://cdnjs.cloudflare.com 'self'; worker-src 'none'; base-uri 'none'; form-action 'none'; block-all-mixed-content; frame-ancestors 'none';"
     Referrer-Policy = "no-referrer"
     Strict-Transport-Security = "max-age=31536000"
     Feature-Policy = "accelerometer 'none'; autoplay 'none'; camera 'none'; document.domain 'none'; display-capture 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'"
\ No newline at end of file
diff --git a/themes/typing/layout/_partial/head.ejs b/themes/typing/layout/_partial/head.ejs
index a59c7b0..ae6c352 100644
--- a/themes/typing/layout/_partial/head.ejs
+++ b/themes/typing/layout/_partial/head.ejs
@@ -3,7 +3,7 @@
 <head>
   <meta charset="utf-8">
   <%/* CSP */%>
-  <meta http-equiv="Content-Security-Policy" content="default-src https: localhost:4000; script-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; style-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; form-action 'none'; block-all-mixed-content;">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; child-src 'none'; connect-src 'none'; font-src 'none'; frame-src 'none'; img-src https: 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; prefetch-src 'none'; script-src https://cdnjs.cloudflare.com 'self'; style-src https://cdnjs.cloudflare.com 'self'; worker-src 'none'; base-uri 'none'; form-action 'none'; block-all-mixed-content;">
   <%
   let title = page.title