commit 4d648b92ac1ac5f952a42f29052c56e8d32547a3
from: Omar Polo <op@omarpolo.com>
date: Sat Aug 20 13:58:05 2022 UTC

gotwebd: add CSP policy

ok tracey@

commit - f897bb2469da024a8db3b1fae10d24ac7cf040e1
commit + 4d648b92ac1ac5f952a42f29052c56e8d32547a3
blob - e1cfdd3906bda91a9adc685b20feaf8b9b3adbd0
blob + 072126ddb17614b1c833d48856c433c128ab891c
--- gotwebd/gotweb.c
+++ gotwebd/gotweb.c
@@ -625,7 +625,13 @@ gotweb_free_transport(struct transport *t)
 const struct got_error *
 gotweb_render_content_type(struct request *c, const uint8_t *type)
 {
-	fcgi_printf(c, "Content-Type: %s\r\n\r\n", type);
+	const char *csp = "default-src 'self'; script-src 'none'; "
+		"object-src 'none';";
+
+	fcgi_printf(c,
+	    "Content-Security-Policy: %s\r\n"
+	    "Content-Type: %s\r\n\r\n",
+	    csp, type);
 	return NULL;
 }