Add embedded Content-Security-Policy

Add a baseline CSP applicable to all gamja deployments. Resources
can only be loaded from the current host, frames and objects are
disallowed, and scripts are allowed to connect to any host (to allow
cross-site WebSocket connections).

If the server returns a different CSP via an HTTP header, the
effective CSP will be the intersection.
This commit is contained in:
Simon Ser 2021-11-27 12:35:02 +01:00
parent d8d2cbe0f7
commit e29ccf7220

View file

@ -2,6 +2,7 @@
<html> <html>
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; frame-src 'none'; object-src 'none'; connect-src *;">
<title>gamja IRC client</title> <title>gamja IRC client</title>
<link rel="stylesheet" href="./style.css"> <link rel="stylesheet" href="./style.css">
<script type="module" src="./main.js"></script> <script type="module" src="./main.js"></script>