commit 292b2fd1224a40fd3fa5bc33248a7b11316abc22
parent e237a35f0d51683511e87e68c2fe3fd9bdf3ef9e
Author: default <nobody@localhost>
Date: Thu, 13 Feb 2025 19:44:21 +0100
Force the Content-Security-Policy header, instead of just suggesting it in the docs.
Diffstat:
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/doc/snac.8 b/doc/snac.8
@@ -198,9 +198,7 @@ By setting this to true, no inbox collection is done. Inbox collection helps
being discovered from remote instances, but also increases network traffic.
.It Ic http_headers
If you need to add more HTTP response headers for whatever reason, you can
-fill this object with the required header/value pairs. For example, for enhanced
-XSS security, you can set the "Content-Security-Policy" header to "script-src ;"
-to be totally sure that no JavaScript is executed.
+fill this object with the required header/value pairs.
.It Ic show_instance_timeline
If this is set to true, the instance base URL will show a timeline with the latest
user posts instead of the default greeting static page. If other information
diff --git a/httpd.c b/httpd.c
@@ -553,6 +553,9 @@ void httpd_connection(FILE *f)
headers = xs_dict_append(headers, "access-control-allow-origin", "*");
headers = xs_dict_append(headers, "access-control-allow-headers", "*");
+ /* disable any form of fucking JavaScript */
+ headers = xs_dict_append(headers, "Content-Security-Policy", "script-src ;");
+
if (p_state->use_fcgi)
xs_fcgi_response(f, status, headers, body, b_size, fcgi_id);
else
