From c9fbbdce1c592cb7d01510b7c0479f23135a4a6c Mon Sep 17 00:00:00 2001
From: strawberry <strawberry@puppygock.gay>
Date: Mon, 3 Jun 2024 18:07:39 -0400
Subject: [PATCH] csp: remove unusual directives, slight security improvement

Signed-off-by: strawberry <strawberry@puppygock.gay>
---
 src/router/layers.rs | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/router/layers.rs b/src/router/layers.rs
index 2b1eaca6..ea872984 100644
--- a/src/router/layers.rs
+++ b/src/router/layers.rs
@@ -21,6 +21,10 @@ use tracing::Level;
 
 use crate::{request, router};
 
+const CONDUWUIT_CSP: &str =
+	"sandbox; default-src 'none'; font-src 'none'; script-src 'none'; frame-ancestors 'none'; base-uri 'none';";
+const CONDUWUIT_PERMISSIONS_POLICY: &str = "interest-cohort=(),browsing-topics=()";
+
 pub(crate) fn build(server: &Arc<Server>) -> io::Result<axum::routing::IntoMakeService<Router>> {
 	let layers = ServiceBuilder::new();
 
@@ -60,14 +64,11 @@ pub(crate) fn build(server: &Arc<Server>) -> io::Result<axum::routing::IntoMakeS
 		))
 		.layer(SetResponseHeaderLayer::if_not_present(
 			HeaderName::from_static("permissions-policy"),
-			HeaderValue::from_static("interest-cohort=(),browsing-topics=()"),
+			HeaderValue::from_static(CONDUWUIT_PERMISSIONS_POLICY),
 		))
 		.layer(SetResponseHeaderLayer::if_not_present(
 			header::CONTENT_SECURITY_POLICY,
-			HeaderValue::from_static(
-				"sandbox; default-src 'none'; font-src 'none'; script-src 'none'; plugin-types application/pdf; \
-				 style-src 'unsafe-inline'; object-src 'self'; frame-ancestors 'none'; base-uri 'none';",
-			),
+			HeaderValue::from_static(CONDUWUIT_CSP),
 		))
 		.layer(cors_layer(server))
 		.layer(body_limit_layer(server))