From db8f0cb141b9d39641f19d19fddba6fe05170aeb Mon Sep 17 00:00:00 2001
From: Miguel Jacq <mig@mig5.net>
Date: Tue, 30 Aug 2022 13:39:10 +1000
Subject: [PATCH] Harden the CSP a bit for values that don't inherit
 default-src. Set Permissions-Policy. Remove TODO

---
 app/main.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/main.py b/app/main.py
index 63f740b..e29f2f3 100644
--- a/app/main.py
+++ b/app/main.py
@@ -132,11 +132,12 @@ class CustomMiddleware:
                 ] = "no-referrer, strict-origin-when-cross-origin"
                 headers["x-content-type-options"] = "nosniff"
                 headers["x-xss-protection"] = "1; mode=block"
-                headers["x-frame-options"] = "SAMEORIGIN"
-                # TODO(ts): disallow inline CSS?
+                headers["x-frame-options"] = "DENY"
+                headers["permissions-policy"] = "interest-cohort=()"
                 headers["content-security-policy"] = (
                     f"default-src 'self'; "
-                    f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}';"
+                    f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
+                    f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
                 )
                 if not DEBUG:
                     headers["strict-transport-security"] = "max-age=63072000;"