From 821ac056b777ae65b9c163d89eebda34bd12d512 Mon Sep 17 00:00:00 2001 From: curben Date: Tue, 21 May 2019 14:41:56 +0930 Subject: [PATCH] feat: add CSP via tag * doesn't support frame-ancestors directive * '*--curben.netlify.com' is invalid * add localhost * block-all-mixed-content works with localhost --- netlify.toml | 2 +- themes/typing/layout/_partial/head.ejs | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index 7166265..88cec8a 100644 --- a/netlify.toml +++ b/netlify.toml @@ -8,7 +8,7 @@ X-Frame-Options = "DENY" X-XSS-Protection = "1; mode=block" X-Content-Type-Options = "nosniff" - Content-Security-Policy = "default-src https; script-src https://cdnjs.cloudflare.com https://curben.netlify.com https://*--curben.netlify.com 'unsafe-inline'; style-src https://cdnjs.cloudflare.com https://curben.netlify.com https://*--curben.netlify.com; block-all-mixed-content; form-action 'none'; frame-ancestors 'none'" + Content-Security-Policy = "default-src https localhost:4000; script-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; style-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; frame-ancestors 'none'; block-all-mixed-content;" Referrer-Policy = "no-referrer" Strict-Transport-Security = "max-age=31536000" Feature-Policy = "accelerometer 'none'; autoplay 'none'; camera 'none'; document.domain 'none'; display-capture 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'" \ No newline at end of file diff --git a/themes/typing/layout/_partial/head.ejs b/themes/typing/layout/_partial/head.ejs index 54aa171..7634780 100644 --- a/themes/typing/layout/_partial/head.ejs +++ b/themes/typing/layout/_partial/head.ejs @@ -2,6 +2,8 @@ + <%/* CSP */%> + <% let title = page.title