|
|
@ -63,16 +63,30 @@ impl Fairing for AppHeaders { |
|
|
|
// app.simplelogin.io, app.anonaddy.com, api.fastmail.com
|
|
|
|
let csp = format!( |
|
|
|
"default-src 'self'; \ |
|
|
|
object-src 'self' blob:; \ |
|
|
|
script-src 'self'{script_src}; \ |
|
|
|
style-src 'self' 'unsafe-inline'; \ |
|
|
|
img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \
|
|
|
|
child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
|
|
|
frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
|
|
|
|
connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \
|
|
|
|
object-src 'self' blob:; \ |
|
|
|
frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};",
|
|
|
|
icon_service_csp=CONFIG._icon_service_csp(), |
|
|
|
allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors() |
|
|
|
frame-ancestors 'self' \ |
|
|
|
chrome-extension://nngceckbapebfimnlniiiahkandclblb \
|
|
|
|
chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
|
|
|
|
moz-extension://* \
|
|
|
|
{allowed_iframe_ancestors}; \ |
|
|
|
img-src 'self' data: \ |
|
|
|
https://haveibeenpwned.com/ \
|
|
|
|
https://www.gravatar.com \
|
|
|
|
{icon_service_csp}; \ |
|
|
|
connect-src 'self' \ |
|
|
|
https://api.pwnedpasswords.com/range/ \
|
|
|
|
https://2fa.directory/api/ \
|
|
|
|
https://app.simplelogin.io/api/ \
|
|
|
|
https://app.anonaddy.com/api/ \
|
|
|
|
https://api.fastmail.com/ \
|
|
|
|
;\ |
|
|
|
", |
|
|
|
icon_service_csp = CONFIG._icon_service_csp(), |
|
|
|
allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors() |
|
|
|
); |
|
|
|
res.set_raw_header("Content-Security-Policy", csp); |
|
|
|
res.set_raw_header("X-Frame-Options", "SAMEORIGIN"); |
|
|
|