mirror of https://gitlab.com/curben/blog
feat: add CSP via <meta> tag
* <meta> doesn't support frame-ancestors directive * '*--curben.netlify.com' is invalid * add localhost * block-all-mixed-content works with localhost
This commit is contained in:
parent
03c527b2f5
commit
821ac056b7
|
@ -8,7 +8,7 @@
|
||||||
X-Frame-Options = "DENY"
|
X-Frame-Options = "DENY"
|
||||||
X-XSS-Protection = "1; mode=block"
|
X-XSS-Protection = "1; mode=block"
|
||||||
X-Content-Type-Options = "nosniff"
|
X-Content-Type-Options = "nosniff"
|
||||||
Content-Security-Policy = "default-src https; script-src https://cdnjs.cloudflare.com https://curben.netlify.com https://*--curben.netlify.com 'unsafe-inline'; style-src https://cdnjs.cloudflare.com https://curben.netlify.com https://*--curben.netlify.com; block-all-mixed-content; form-action 'none'; frame-ancestors 'none'"
|
Content-Security-Policy = "default-src https localhost:4000; script-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; style-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; frame-ancestors 'none'; block-all-mixed-content;"
|
||||||
Referrer-Policy = "no-referrer"
|
Referrer-Policy = "no-referrer"
|
||||||
Strict-Transport-Security = "max-age=31536000"
|
Strict-Transport-Security = "max-age=31536000"
|
||||||
Feature-Policy = "accelerometer 'none'; autoplay 'none'; camera 'none'; document.domain 'none'; display-capture 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'"
|
Feature-Policy = "accelerometer 'none'; autoplay 'none'; camera 'none'; document.domain 'none'; display-capture 'none'; encrypted-media 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; sync-xhr 'none'; usb 'none'"
|
|
@ -2,6 +2,8 @@
|
||||||
<html lang="<%= theme.language %>">
|
<html lang="<%= theme.language %>">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="utf-8">
|
<meta charset="utf-8">
|
||||||
|
<%/* CSP */%>
|
||||||
|
<meta http-equiv="Content-Security-Policy" content="default-src https localhost:4000; script-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; style-src https://cdnjs.cloudflare.com https://*.netlify.com localhost:4000; form-action 'none'; block-all-mixed-content;">
|
||||||
<%
|
<%
|
||||||
let title = page.title
|
let title = page.title
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue