skorotkiewicz/rDrama
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Standards recommend we use HTTP headers for our CSP

Browse source 
Let's do that.
This commit is contained in:
justcool393 2023-07-27 21:50:38 -05:00 committed by Ben Rog-Wilhelm
parent 614d94652c
commit 2f0ed92318
7 changed files with 16 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

13
files/routes/allroutes.py
View file

@ -1,11 +1,16 @@
from __future__ import annotations
import json
import sys
import time
from typing import TYPE_CHECKING
from flask import abort, g, request
from files.__main__ import app, db_session, limiter
if TYPE_CHECKING:
from flask.wrappers import Response
@app.before_request
def before_request():
@ -45,7 +50,13 @@ def teardown_request(error):
sys.stdout.flush()
@app.after_request
def after_request(response):
def after_request(response: Response):
response.headers.add("Content-Security-Policy", (
"script-src 'self' 'unsafe-inline';"
" connect-src 'self' *.google-analytics.com *.analytics.google.com;"
" object-src 'none';"
" img-src 'self' *.google-analytics.com *.analytics.google.com"
))
response.headers.add("Strict-Transport-Security", "max-age=31536000")
response.headers.add("X-Frame-Options", "deny")
return response

10
files/templates/chat.html
View file

@ -1,16 +1,10 @@
<!DOCTYPE html>
<html lang="en">
<head>
{% include "analytics.html" %}
<meta name="description" content="{{config('DESCRIPTION')}}">
{% include "csp.html" %}
<meta charset="utf-8">
{% include "analytics.html" %}
<meta name="description" content="{{config('DESCRIPTION')}}">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="author" content="">
<link id="favicon" rel="icon" type="image/png" href="{{ ('images/'~SITE_ID~'/icon.webp') | asset }}">
<title>Chat</title>

1
files/templates/csp.html
View file

@ -1 +0,0 @@
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; connect-src 'self' *.google-analytics.com *.analytics.google.com; object-src 'none'; img-src 'self' *.google-analytics.com *.analytics.google.com">

3
files/templates/default.html
View file

@ -3,11 +3,8 @@
<html lang="en">
<head>
{% include "analytics.html" %}
<link rel="alternate" type="application/rss+xml" title="The Motte RSS" href="/rss">
<meta name="description" content="{{config('DESCRIPTION')}}">
{% include "csp.html" %}
<script src="{{ 'js/bootstrap.js' | asset }}"></script>
<script src="{{ 'js/micromodal.js' | asset }}"></script>
{% if v %}

1
files/templates/login/authforms.html
View file

@ -3,7 +3,6 @@
<head>
<meta charset="utf-8">
{% include "analytics.html" %}
{% include "csp.html" %}
<meta name="description" content="{{config('DESCRIPTION')}}">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>{% block pagetitle %}{{SITE_TITLE}}{% endblock %}</title>

6
files/templates/settings.html
View file

@ -2,18 +2,14 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
{% include "analytics.html" %}
<meta name="description" content="{{config('DESCRIPTION')}}">
{% include "csp.html" %}
<script src="{{ 'js/bootstrap.js' | asset }}"></script>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="author" content="">
<link rel="icon" type="image/png" href="{{ ('images/'~SITE_ID~'/icon.webp') | asset }}">
<title>{% block pagetitle %}Settings - {{SITE_TITLE}}{% endblock %}</title>

8
files/templates/submit.html
View file

@ -2,19 +2,13 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
{% include "analytics.html" %}
<meta name="description" content="{{config('DESCRIPTION')}}">
{% include "csp.html" %}
<script src="{{ 'js/bootstrap.js' | asset }}"></script>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="author" content="">
<link rel="icon" type="image/png" href="{{ ('images/'~SITE_ID~'/icon.webp') | asset }}">
{% block title %}
<title>Create a post - {{SITE_TITLE}}</title>
{% endblock %}