mirror of
https://gitlab.com/soapbox-pub/ditto.git
synced 2025-12-06 11:29:46 +00:00
30 lines
821 B
TypeScript
30 lines
821 B
TypeScript
import { AppMiddleware } from '@/app.ts';
|
|
import { Conf } from '@/config.ts';
|
|
|
|
const csp = (): AppMiddleware => {
|
|
return async (c, next) => {
|
|
const { host, protocol, origin } = Conf.url;
|
|
const wsProtocol = protocol === 'http:' ? 'ws:' : 'wss:';
|
|
|
|
const policies = [
|
|
'upgrade-insecure-requests',
|
|
`script-src 'self'`,
|
|
`connect-src 'self' blob: ${origin} ${wsProtocol}//${host}`,
|
|
`media-src 'self' https:`,
|
|
`img-src 'self' data: blob: https:`,
|
|
`default-src 'none'`,
|
|
`base-uri 'self'`,
|
|
`frame-ancestors 'none'`,
|
|
`style-src 'self' 'unsafe-inline'`,
|
|
`font-src 'self'`,
|
|
`manifest-src 'self'`,
|
|
`frame-src 'self' https:`,
|
|
];
|
|
|
|
c.res.headers.set('content-security-policy', policies.join('; '));
|
|
|
|
await next();
|
|
};
|
|
};
|
|
|
|
export { csp };
|