Merge branch 'jjlin-csp'

2024-06-15 10:28:21 +02:00 · 2022-10-14 17:56:03 +02:00 · 2022-10-14 17:56:03 +02:00 · 736dbc9553
parent c2725916f4 b4a38f1f63
commit 736dbc9553
1 changed files with 22 additions and 7 deletions
--- a/src/util.rs
+++ b/src/util.rs
@ -60,19 +60,34 @@ impl Fairing for AppHeaders {
            // Leaked Passwords check: api.pwnedpasswords.com
            // 2FA/MFA Site check: 2fa.directory
            // # Mail Relay: https://bitwarden.com/blog/add-privacy-and-security-using-email-aliases-with-bitwarden/
-            // app.simplelogin.io, app.anonaddy.com, api.fastmail.com
+            // app.simplelogin.io, app.anonaddy.com, api.fastmail.com, quack.duckduckgo.com
            let csp = format!(
                "default-src 'self'; \
+                object-src 'self' blob:; \
                script-src 'self'{script_src}; \
                style-src 'self' 'unsafe-inline'; \
-                img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \
                child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
                frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
-                connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \
-                object-src 'self' blob:; \
-                frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};",
-                icon_service_csp=CONFIG._icon_service_csp(),
-                allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors()
+                frame-ancestors 'self' \
+                  chrome-extension://nngceckbapebfimnlniiiahkandclblb \
+                  chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
+                  moz-extension://* \
+                  {allowed_iframe_ancestors}; \
+                img-src 'self' data: \
+                  https://haveibeenpwned.com/ \
+                  https://www.gravatar.com \
+                  {icon_service_csp}; \
+                connect-src 'self' \
+                  https://api.pwnedpasswords.com/range/ \
+                  https://2fa.directory/api/ \
+                  https://app.simplelogin.io/api/ \
+                  https://app.anonaddy.com/api/ \
+                  https://api.fastmail.com/ \
+                  https://quack.duckduckgo.com/api/email/ \
+                  ;\
+                ",
+                icon_service_csp = CONFIG._icon_service_csp(),
+                allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
            );
            res.set_raw_header("Content-Security-Policy", csp);
            res.set_raw_header("X-Frame-Options", "SAMEORIGIN");