Update the Content-Security-Policy: remove style-src and script-src which are inherited by default-src. Add frame-ancestors, form-action and base-uri which do not inherit default-src

author: Miguel Jacq <mig@mig5.net> 2021-04-29 10:09:44 +1000
committer: Miguel Jacq <mig@mig5.net> 2021-04-29 10:09:44 +1000
commit: 330e6026940a7de78d6ac6165fb56d20516a996f (patch)
tree: ce8d77e8e01d8fa5973cf822d3eab7318c58ad19
parent: 470fb2bda3a04c856256191ceee267ce94515eef (diff)
download: onionshare-330e6026940a7de78d6ac6165fb56d20516a996f.tar.gz
onionshare-330e6026940a7de78d6ac6165fb56d20516a996f.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/cli/onionshare_cli/web/web.py b/cli/onionshare_cli/web/web.py
index ab47195c..7c2e4256 100644
--- a/cli/onionshare_cli/web/web.py
+++ b/cli/onionshare_cli/web/web.py
@@ -310,7 +310,7 @@ class Web:
         if not self.settings.get("website", "disable_csp") or self.mode != "website":
             r.headers.set(
                 "Content-Security-Policy",
-                "default-src 'self'; style-src 'self'; script-src 'self'; img-src 'self' data:;",
+                "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;",
             )
         return r
author	Miguel Jacq <mig@mig5.net>	2021-04-29 10:09:44 +1000
committer	Miguel Jacq <mig@mig5.net>	2021-04-29 10:09:44 +1000
commit	330e6026940a7de78d6ac6165fb56d20516a996f (patch)
tree	ce8d77e8e01d8fa5973cf822d3eab7318c58ad19
parent	470fb2bda3a04c856256191ceee267ce94515eef (diff)
download	onionshare-330e6026940a7de78d6ac6165fb56d20516a996f.tar.gz onionshare-330e6026940a7de78d6ac6165fb56d20516a996f.zip