diff options
| author | Fuwn <[email protected]> | 2026-06-01 13:09:56 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-06-01 13:09:56 +0000 |
| commit | 571e8b7961660aa193f755f8e4bb71e0984486da (patch) | |
| tree | a4819275b8cd8f8fb61bfac6310400eb3f081916 /src | |
| parent | fix(security): mark auth cookies Secure outside localhost (diff) | |
| download | due.moe-571e8b7961660aa193f755f8e4bb71e0984486da.tar.xz due.moe-571e8b7961660aa193f755f8e4bb71e0984486da.zip | |
feat(security): add Content-Security-Policy
No CSP existed, leaving the app without defense-in-depth against XSS.
Add a SvelteKit nonce-based policy (mode: auto): script-src limited to
self + per-request nonce + the analytics/Vercel script hosts, object-src
none, base-uri and frame-ancestors self. img/style/font/connect stay
permissive (https:) so the image proxy, CDNs, fonts and the many
cross-origin API calls keep working; the two inline app.html scripts
carry %sveltekit.nonce%. Verified in-browser across routes (no
violations, HMR and hydration intact) and via a production build.
Diffstat (limited to 'src')
| -rw-r--r-- | src/app.html | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/app.html b/src/app.html index a8eceb73..1f9fc4dd 100644 --- a/src/app.html +++ b/src/app.html @@ -94,7 +94,7 @@ <meta name="msapplication-square310x310logo" content="mstile-310x310.png" /> <!-- Umami is a simple, fast, and privacy-focused alternative to Google Analytics. --> - <script> + <script nonce="%sveltekit.nonce%"> if (!['localhost', '127.0.0.1'].includes(window.location.hostname)) { const script = document.createElement('script'); @@ -106,7 +106,7 @@ } </script> - <script> + <script nonce="%sveltekit.nonce%"> window.global = window; aoButa = ''; |