stacker.news

Commit Graph

Author	SHA1	Message	Date
ekzyis	fc18a917e3	Add Content Security Policy headers (#805 ) * Basic CSP with unsafe-inline, unsafe-eval * Allow 'self' for img-src and connect-src Apparently, there is a bug for Chrome on iOS if connect-src does not allow 'self'. See known issues at https://caniuse.com/contentsecuritypolicy * Use nonces for strict CSP * More CSP comments * Add frame-ancestors directive * Add more useful headers * Add HSTS header * Allow youtube and twitter embeds For some reason, www.youtube.com is enough. It also works for youtube.com and youtube-nocookie.com. For twitter embeds from twitter.com or x.com, platform.twitter.com is enough. * Allow CDN and media domain in CSP * Only allow unsafe-eval in dev build * Ignore _next/webpack-hmr in middleware	2024-02-13 13:10:06 -06:00
keyan	41226245c5	referrals	2022-12-19 16:27:52 -06:00

Author

SHA1

Message

Date

ekzyis

fc18a917e3

Add Content Security Policy headers (#805 )

* Basic CSP with unsafe-inline, unsafe-eval

* Allow 'self' for img-src and connect-src

Apparently, there is a bug for Chrome on iOS if connect-src does not allow 'self'.

See known issues at https://caniuse.com/contentsecuritypolicy

* Use nonces for strict CSP

* More CSP comments

* Add frame-ancestors directive

* Add more useful headers

* Add HSTS header

* Allow youtube and twitter embeds

For some reason, www.youtube.com is enough. It also works for youtube.com and youtube-nocookie.com.

For twitter embeds from twitter.com or x.com, platform.twitter.com is enough.

* Allow CDN and media domain in CSP

* Only allow unsafe-eval in dev build

* Ignore _next/webpack-hmr in middleware

2024-02-13 13:10:06 -06:00

keyan

41226245c5

referrals

2022-12-19 16:27:52 -06:00

2 Commits