Set base-uri to none
All checks were successful
ci/woodpecker/pr/woodpecker Pipeline was successful

pleroma-fe doesn't use this and it seems too niche to have any use-case

Signed-off-by: r3g_5z <june@terezi.dev>
This commit is contained in:
r3g_5z 2022-11-20 00:34:53 -05:00
parent c08ee3edb2
commit f26108dba1
No known key found for this signature in database
3 changed files with 3 additions and 3 deletions

View file

@ -33,7 +33,7 @@ A content security policy (CSP) will also be set:
```csp
content-security-policy:
default-src 'none';
base-uri 'self';
base-uri 'none';
frame-ancestors 'none';
img-src 'self' data: blob: https:;
media-src 'self' https:;

View file

@ -165,7 +165,7 @@ http protocol plerup { # Protocol for upstream akkoma server
match response header append "X-Frame-Options" value "DENY"
match response header append "X-Content-Type-Options" value "nosniff"
match response header append "Referrer-Policy" value "same-origin"
match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'none'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
match request header append "Connection" value "upgrade"
#match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains; preload" # Uncomment this only after you get HTTPS working.

View file

@ -75,7 +75,7 @@ def headers do
static_csp_rules = [
"default-src 'none'",
"base-uri 'self'",
"base-uri 'none'",
"frame-ancestors 'none'",
"style-src 'self' 'unsafe-inline'",
"font-src 'self'",