From 330e6026940a7de78d6ac6165fb56d20516a996f Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Thu, 29 Apr 2021 10:09:44 +1000
Subject: Update the Content-Security-Policy: remove style-src and script-src
 which are inherited by default-src. Add frame-ancestors, form-action and
 base-uri which do not inherit default-src

---
 cli/onionshare_cli/web/web.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cli/onionshare_cli/web/web.py b/cli/onionshare_cli/web/web.py
index ab47195c..7c2e4256 100644
--- a/cli/onionshare_cli/web/web.py
+++ b/cli/onionshare_cli/web/web.py
@@ -310,7 +310,7 @@ class Web:
         if not self.settings.get("website", "disable_csp") or self.mode != "website":
             r.headers.set(
                 "Content-Security-Policy",
-                "default-src 'self'; style-src 'self'; script-src 'self'; img-src 'self' data:;",
+                "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; img-src 'self' data:;",
             )
         return r
 
-- 
cgit v1.2.3-54-g00ecf