Reformat CSP header for readability

2025-10-31 10:18:19 +02:00 · 2022-10-11 21:25:29 -07:00
parent 1e32db8c41
commit 4283a49e0b
1 changed files with 20 additions and 6 deletions
--- a/src/util.rs
+++ b/src/util.rs
@@ -63,16 +63,30 @@ impl Fairing for AppHeaders {
            // app.simplelogin.io, app.anonaddy.com, api.fastmail.com
            let csp = format!(
                "default-src 'self'; \
+                object-src 'self' blob:; \
                script-src 'self'{script_src}; \
                style-src 'self' 'unsafe-inline'; \
-                img-src 'self' data: https://haveibeenpwned.com/ https://www.gravatar.com {icon_service_csp}; \
                child-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
                frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; \
-                connect-src 'self' https://api.pwnedpasswords.com/range/ https://2fa.directory/api/ https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/; \
-                object-src 'self' blob:; \
-                frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* {allowed_iframe_ancestors};",
-                icon_service_csp=CONFIG._icon_service_csp(),
-                allowed_iframe_ancestors=CONFIG.allowed_iframe_ancestors()
+                frame-ancestors 'self' \
+                  chrome-extension://nngceckbapebfimnlniiiahkandclblb \
+                  chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh \
+                  moz-extension://* \
+                  {allowed_iframe_ancestors}; \
+                img-src 'self' data: \
+                  https://haveibeenpwned.com/ \
+                  https://www.gravatar.com \
+                  {icon_service_csp}; \
+                connect-src 'self' \
+                  https://api.pwnedpasswords.com/range/ \
+                  https://2fa.directory/api/ \
+                  https://app.simplelogin.io/api/ \
+                  https://app.anonaddy.com/api/ \
+                  https://api.fastmail.com/ \
+                  ;\
+                ",
+                icon_service_csp = CONFIG._icon_service_csp(),
+                allowed_iframe_ancestors = CONFIG.allowed_iframe_ancestors()
            );
            res.set_raw_header("Content-Security-Policy", csp);
            res.set_raw_header("X-Frame-Options", "SAMEORIGIN");