custom_http_frontend_headers = custom_http_frontend_headers()
headers = [
- {"x-xss-protection", "1; mode=block"},
+ {"x-xss-protection", "0"},
{"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"},
{"referrer-policy", referrer_policy},
- {"x-download-options", "noopen"},
- {"content-security-policy", csp_string()}
+ {"content-security-policy", csp_string()},
+ {"permissions-policy", "interest-cohort=()"}
]
headers =
]
}
- [{"reply-to", Jason.encode!(report_group)} | headers]
+ [{"report-to", Jason.encode!(report_group)} | headers]
else
headers
end
static_csp_rules = [
"default-src 'none'",
- "base-uri 'self'",
+ "base-uri 'none'",
"frame-ancestors 'none'",
"style-src 'self' 'unsafe-inline'",
"font-src 'self'",
{[img_src, " https:"], [media_src, " https:"]}
end
- connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
-
connect_src =
- if Config.get(:env) == :dev do
- [connect_src, " http://localhost:3035/"]
+ if Config.get([:media_proxy, :enabled]) do
+ sources = build_csp_multimedia_source_list()
+ ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
else
- connect_src
+ ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
end
script_src =
defp maybe_send_sts_header(conn, true) do
max_age_sts = Config.get([:http_security, :sts_max_age])
- max_age_ct = Config.get([:http_security, :ct_max_age])
merge_resp_headers(conn, [
- {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
- {"expect-ct", "enforce, max-age=#{max_age_ct}"}
+ {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"}
])
end
projects / akkoma / blobdiff