From f8d8a146c5b2d19cbfef8e329aeb4ad30456a0b5 Mon Sep 17 00:00:00 2001 From: tdro Date: Wed, 4 May 2022 19:43:41 -0400 Subject: themes/default/layouts/partials/csp: Add connect-src --- config.json | 3 +++ config.toml | 1 + config.yaml | 1 + themes/default/layouts/partials/csp.html | 2 ++ 4 files changed, 7 insertions(+) diff --git a/config.json b/config.json index 9189bde..357c47b 100644 --- a/config.json +++ b/config.json @@ -142,6 +142,9 @@ "'self'", "'unsafe-inline'", "http://preview.test" + ], + "connectsrc": [ + "'self'" ] } }, diff --git a/config.toml b/config.toml index c16f72e..676c81e 100644 --- a/config.toml +++ b/config.toml @@ -103,6 +103,7 @@ enableRobotsTXT = true scriptsrc = ["'self'", "s.imgur.com", "platform.twitter.com"] scriptsrcelem = ["'self'", "s.imgur.com", "platform.twitter.com"] stylesrc = ["'self'", "'unsafe-inline'", "http://preview.test"] + connectsrc = ["'self'"] [outputFormats] diff --git a/config.yaml b/config.yaml index c95c1dc..5842f8f 100644 --- a/config.yaml +++ b/config.yaml @@ -89,6 +89,7 @@ params: scriptsrc: ["'self'", s.imgur.com, platform.twitter.com] scriptsrcelem: ["'self'", s.imgur.com, platform.twitter.com] stylesrc: ["'self'", "'unsafe-inline'", http://preview.test] + connectsrc: ["'self'"] outputFormats: html: diff --git a/themes/default/layouts/partials/csp.html b/themes/default/layouts/partials/csp.html index 81a6af6..62489ec 100644 --- a/themes/default/layouts/partials/csp.html +++ b/themes/default/layouts/partials/csp.html @@ -15,6 +15,7 @@ block-all-mixed-content; default-src 'self'; child-src %s; + connect-src %s; font-src %s; form-action %s; frame-src %s; @@ -28,6 +29,7 @@ ">` ($upgrade) (delimit .Site.Params.csp.childsrc " ") + (delimit .Site.Params.csp.connectsrc " ") (delimit .Site.Params.csp.fontsrc " ") (delimit .Site.Params.csp.formaction " ") (delimit .Site.Params.csp.framesrc " ") -- cgit v1.2.3