commit 0b75e088e5e7799559ddc81934e9d06c29f10c5b
from: Omar Polo <op@omarpolo.com>
via: Thomas Adam <thomas@xteddy.org>
date: Sat Aug 27 17:51:57 2022 UTC

gotwebd: add CSP policy

ok tracey@

commit - ddf2e5c25df6ac585a7908b50cc996d14f90eb2f
commit + 0b75e088e5e7799559ddc81934e9d06c29f10c5b
blob - 13925bb911f89a70f4befccba6360461bd6c44db
blob + 57eaf45343e11c31c878875724b102dbbf4aa774
--- gotwebd/gotweb.c
+++ gotwebd/gotweb.c
@@ -625,7 +625,13 @@ gotweb_free_transport(struct transport *t)
 const struct got_error *
 gotweb_render_content_type(struct request *c, const uint8_t *type)
 {
-	fcgi_printf(c, "Content-Type: %s\r\n\r\n", type);
+	const char *csp = "default-src 'self'; script-src 'none'; "
+		"object-src 'none';";
+
+	fcgi_printf(c,
+	    "Content-Security-Policy: %s\r\n"
+	    "Content-Type: %s\r\n\r\n",
+	    csp, type);
 	return NULL;
 }