diff options
| author | Peter Stone <thepeterstone@gmail.com> | 2026-01-27 10:28:26 -1000 |
|---|---|---|
| committer | Peter Stone <thepeterstone@gmail.com> | 2026-01-27 10:28:26 -1000 |
| commit | 994b92f6c6ce204675b9e20ff1e9b4a3bfa39bea (patch) | |
| tree | 41ea36a1f9ef3f7ea613fd2887b32920822b8686 /internal/middleware/security.go | |
| parent | 9e3c28db46753b428ccd00d2799c4ac794a95f42 (diff) | |
Fix CSP to allow conditions page embeds and fonts
Allow external resources in Content-Security-Policy:
- frame-src: youtube.com, embed.windy.com (for webcams/weather)
- style-src: fonts.googleapis.com (for Inter font)
- font-src: fonts.gstatic.com (for font files)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Diffstat (limited to 'internal/middleware/security.go')
| -rw-r--r-- | internal/middleware/security.go | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/internal/middleware/security.go b/internal/middleware/security.go index 159a0e6..e048645 100644 --- a/internal/middleware/security.go +++ b/internal/middleware/security.go @@ -21,13 +21,14 @@ func SecurityHeaders(debug bool) func(http.Handler) http.Handler { w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains") } - // Content Security Policy - allow self, inline styles (Tailwind), and external images + // Content Security Policy - allow self, inline styles (Tailwind), external images, and embeds w.Header().Set("Content-Security-Policy", "default-src 'self'; "+ "img-src 'self' https: data:; "+ "script-src 'self' 'unsafe-inline' https://unpkg.com; "+ - "style-src 'self' 'unsafe-inline'; "+ - "font-src 'self' https:; "+ + "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; "+ + "font-src 'self' https://fonts.gstatic.com; "+ + "frame-src https://www.youtube.com https://embed.windy.com; "+ "connect-src 'self'") next.ServeHTTP(w, r) |