Restrict content security policy to load data only from current origin

Remove frame-acestors completely because it isn't included into an iframe anymore. If this is still required the CSP settings can be adjusted via a command line parameter. More important don't allow executing javascript from inline html. Only from references javascript files. But allow to load CSS from inline <style> elements via style-src-elem (not supported by firefox yet) and style-src CSP settings. Fixes AP-1507
greenbone · Jul 20, 2021 · 9c6bd5b · 9c6bd5b
1 parent edc594b
commit 9c6bd5b
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/gsad/src/gsad.c b/gsad/src/gsad.c
@@ -157,9 +157,11 @@
  * @brief Default value for HTTP header "Content-Security-Policy"
  */
 #define DEFAULT_GSAD_CONTENT_SECURITY_POLICY \
-  "default-src 'self' 'unsafe-inline';"      \
-  " img-src 'self' blob:;"                   \
-  " frame-ancestors 'self'"
+  "default-src 'self'; "                     \
+  "script-src 'self'; "                      \
+  "style-src-elem 'self' 'unsafe-inline'; "  \
+  "style-src 'self' 'unsafe-inline'; "       \
+  "img-src 'self' blob:;"
 
 /**
  * @brief Default "max-age" for HTTP header "Strict-Transport-Security"