diff options
| author | Ben Harris <bjh21@bjh21.me.uk> | 2023-01-21 13:23:38 +0000 |
|---|---|---|
| committer | Ben Harris <bjh21@bjh21.me.uk> | 2023-01-21 13:37:45 +0000 |
| commit | 667ce177294e0b4c4331c2af2bdc96ee9631fbf2 (patch) | |
| tree | a5e5378ee674c1696808cad2adc6ab60328a623d /kaios | |
| parent | eb366cb6c6c0dd23be392afaa280e97d4b9d966c (diff) | |
| download | puzzles-667ce177294e0b4c4331c2af2bdc96ee9631fbf2.zip puzzles-667ce177294e0b4c4331c2af2bdc96ee9631fbf2.tar.gz puzzles-667ce177294e0b4c4331c2af2bdc96ee9631fbf2.tar.bz2 puzzles-667ce177294e0b4c4331c2af2bdc96ee9631fbf2.tar.xz | |
Add a content security policy for the KaiOS app
This is for defence in depth against security holes either in Puzzles or
in the KaiAds API. I haven't found any documentation of what KaiAds'
CSP requirements are, but allowing scripts and frames from *.kaiads.com
seems to be enough to let the test adverts work.
Diffstat (limited to 'kaios')
| -rwxr-xr-x | kaios/manifest.pl | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/kaios/manifest.pl b/kaios/manifest.pl index 838ff3e..94c57ad 100755 --- a/kaios/manifest.pl +++ b/kaios/manifest.pl @@ -66,5 +66,10 @@ print JSON::PP->new->canonical->encode({ description => "Required to display advertisements" }, }, + csp => "default-src 'self'; + script-src 'self' https://*.kaiads.com; + style-src 'self' 'unsafe-inline'; + frame-src 'self' https://*.kaiads.com; + img-src 'self' data:;" =~ s/\s+/ /gr, $decvers ? (version => $decvers) : (), }) |