workers-site: set CSP and Feature-Policy headers [deploy] [staging]

Signed-off-by: Harsh Shandilya <me@msfjarvis.dev>

workers-site/src/handler.ts

@@ -4,6 +4,8 @@ const GITHUB_USERNAME = 'msfjarvis'
 const APS_SLUG = 'Android-Password-Store/Android-Password-Store'
 const GITHUB_URL = `https://github.com/${GITHUB_USERNAME}`
 const APS_GITHUB_URL = `https://github.com/${APS_SLUG}`
+const CSP_POLICY = "base-uri 'self'; connect-src 'self'; default-src 'self'; frame-ancestors 'none'; frame-src asciinema.org github.com platform.twitter.com; font-src 'self' data:; img-src 'self' data: gfycat.com imgur.com *.imgur.com syndication.twitter.com; object-src 'none'; script-src 'self' asciinema.org platform.twitter.com unpkg.com; style-src 'self' 'unsafe-inline';"
+const FEATURE_POLICY = "accelerometer 'none'; autoplay 'none';camera 'none';encrypted-media 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'none';usb 'none'";
 
 export async function handleRequest(event: FetchEvent): Promise<Response> {
   return redirectGitHub(event)
@@ -19,6 +21,8 @@ async function getPageFromKV(event: FetchEvent): Promise<Response> {
     response.headers.set('X-Frame-Options', 'DENY')
     response.headers.set('Referrer-Policy', 'unsafe-url')
     response.headers.set('Feature-Policy', 'none')
+    response.headers.set('Content-Security-Policy', CSP_POLICY)
+    response.headers.set('Feature-Policy', FEATURE_POLICY)
     return response
   } catch (e) {
     try {