summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJelle van der Waa <jelle@archlinux.org>2019-02-24 17:14:17 +0100
committerJelle van der Waa <jelle@archlinux.org>2019-02-24 17:14:17 +0100
commitaae6e43fccada4883bd2630a2c33666d3461f08e (patch)
treed9b3ba0684c5a4195904c758f197288bd6db0f0a
parentb737f2b4c393a3a4ff352573e1accdd17e3aa67a (diff)
Add base-uri and frame-ancestors to CSPrelease_2019-02-24
The archweb website contains no <base> elements so this can be disallowed. Also set frame-ancestors is set to the same value as X-Frame-Options. Signed-off-by: Jelle van der Waa <jelle@archlinux.org>
-rw-r--r--settings.py2
1 files changed, 2 insertions, 0 deletions
diff --git a/settings.py b/settings.py
index 17377c25..8d06b326 100644
--- a/settings.py
+++ b/settings.py
@@ -98,6 +98,8 @@ CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'",)
CSP_INCLUDE_NONCE_IN = ['script-src']
CSP_IMG_SRC = ("'self'", 'data:',)
+CSP_BASE_URI = ("'none'",)
+CSP_FRAME_ANCESTORS = ("'none'",)
# Use new test runner
TEST_RUNNER = 'django.test.runner.DiscoverRunner'