csp: we never use <base>
parent
cb094c7e78
commit
fe959e68a4
|
@ -102,7 +102,8 @@ trait AssetHelper { self: I18nHelper =>
|
|||
frameSrc = List("'self'", assets, "https://www.youtube.com"),
|
||||
workerSrc = List("'self'", assets),
|
||||
imgSrc = List("data:", "*"),
|
||||
scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com")
|
||||
scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com"),
|
||||
baseUri = List("'none'")
|
||||
)
|
||||
}
|
||||
|
||||
|
|
|
@ -8,7 +8,8 @@ case class ContentSecurityPolicy(
|
|||
frameSrc: List[String],
|
||||
workerSrc: List[String],
|
||||
imgSrc: List[String],
|
||||
scriptSrc: List[String]
|
||||
scriptSrc: List[String],
|
||||
baseUri: List[String]
|
||||
) {
|
||||
|
||||
private def withScriptSrc(source: String) = copy(scriptSrc = source :: scriptSrc)
|
||||
|
@ -66,7 +67,8 @@ case class ContentSecurityPolicy(
|
|||
"frame-src " -> frameSrc,
|
||||
"worker-src " -> workerSrc,
|
||||
"img-src " -> imgSrc,
|
||||
"script-src " -> scriptSrc
|
||||
"script-src " -> scriptSrc,
|
||||
"base-uri " -> baseUri
|
||||
) collect {
|
||||
case (directive, sources) if sources.nonEmpty =>
|
||||
sources.mkString(directive, " ", ";")
|
||||
|
|
Loading…
Reference in New Issue