392bc5df6e
Add CSP and Permissions-Policy headers to _security_headers() for defense-in-depth against XSS and unwanted browser feature access. CSP policy: default-src 'self' — only load resources from same origin script-src 'self' — prevent inline/remote script injection style-src 'self' 'unsafe-inline' — allow themes (inline styles) img-src 'self' data: — allow workspace images and data URIs font-src 'self' data: — allow web fonts connect-src 'self' — only allow fetch/XHR to same origin base-uri 'self'; form-action 'self' — prevent base/form injection Permissions-Policy: disable camera, microphone, geolocation. Addresses #193.
3.2 KiB
3.2 KiB