workers-site: set CSP and Feature-Policy headers [deploy] [staging]
Signed-off-by: Harsh Shandilya <me@msfjarvis.dev>
This commit is contained in:
parent
c54dedcb03
commit
4c01bbc250
|
@ -4,6 +4,8 @@ const GITHUB_USERNAME = 'msfjarvis'
|
|||
const APS_SLUG = 'Android-Password-Store/Android-Password-Store'
|
||||
const GITHUB_URL = `https://github.com/${GITHUB_USERNAME}`
|
||||
const APS_GITHUB_URL = `https://github.com/${APS_SLUG}`
|
||||
const CSP_POLICY = "base-uri 'self'; connect-src 'self'; default-src 'self'; frame-ancestors 'none'; frame-src asciinema.org github.com platform.twitter.com; font-src 'self' data:; img-src 'self' data: gfycat.com imgur.com *.imgur.com syndication.twitter.com; object-src 'none'; script-src 'self' asciinema.org platform.twitter.com unpkg.com; style-src 'self' 'unsafe-inline';"
|
||||
const FEATURE_POLICY = "accelerometer 'none'; autoplay 'none';camera 'none';encrypted-media 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'none';usb 'none'";
|
||||
|
||||
export async function handleRequest(event: FetchEvent): Promise<Response> {
|
||||
return redirectGitHub(event)
|
||||
|
@ -19,6 +21,8 @@ async function getPageFromKV(event: FetchEvent): Promise<Response> {
|
|||
response.headers.set('X-Frame-Options', 'DENY')
|
||||
response.headers.set('Referrer-Policy', 'unsafe-url')
|
||||
response.headers.set('Feature-Policy', 'none')
|
||||
response.headers.set('Content-Security-Policy', CSP_POLICY)
|
||||
response.headers.set('Feature-Policy', FEATURE_POLICY)
|
||||
return response
|
||||
} catch (e) {
|
||||
try {
|
||||
|
|
Loading…
Reference in New Issue