From e29ccf722082e7da09151da6470ab7157644eebf Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Sat, 27 Nov 2021 12:35:02 +0100
Subject: [PATCH] Add embedded Content-Security-Policy

Add a baseline CSP applicable to all gamja deployments. Resources
can only be loaded from the current host, frames and objects are
disallowed, and scripts are allowed to connect to any host (to allow
cross-site WebSocket connections).

If the server returns a different CSP via an HTTP header, the
effective CSP will be the intersection.
---
 index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/index.html b/index.html
index 70a707a..573faf4 100644
--- a/index.html
+++ b/index.html
@@ -2,6 +2,7 @@
 <html>
 	<head>
 		<meta charset="utf-8">
+		<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'none'; object-src 'none'; connect-src *;">
 		<title>gamja IRC client</title>
 		<link rel="stylesheet" href="./style.css">
 		<script type="module" src="./main.js"></script>