Remove child-src from CSP, add base-uri none

2019-12-22 21:24:46 +02:00 · 2019-12-22 21:24:46 +02:00 · 27986f5811
commit 27986f5811
parent 8696f03e8d
1 changed files with 1 additions and 1 deletions
--- a/src/server.js
+++ b/src/server.js
@ -296,12 +296,12 @@ function forceNoCacheRequest(req, res, next) {
 function indexRequest(req, res) {
 	const policies = [
 		"default-src 'none'", // default to nothing
+		"base-uri 'none'", // disallow <base>, has no fallback to default-src
 		"form-action 'self'", // 'self' to fix saving passwords in Firefox, even though login is handled in javascript
 		"connect-src 'self' ws: wss:", // allow self for polling; websockets
 		"style-src 'self' https: 'unsafe-inline'", // allow inline due to use in irc hex colors
 		"script-src 'self'", // javascript
 		"worker-src 'self'", // service worker
-		"child-src 'self'", // deprecated fall back for workers, Firefox <58, see #1902
 		"manifest-src 'self'", // manifest.json
 		"font-src 'self' https:", // allow loading fonts from secure sites (e.g. google fonts)
 		"media-src 'self' https:", // self for notification sound; allow https media (audio previews)