Enhanced CSP

stever · stever · commit 433138a1df1e · 2025-10-05T11:52:19.000+01:00
diff --git a/apps/proxy/prod.Caddyfile b/apps/proxy/prod.Caddyfile
@@ -30,7 +30,7 @@
 
             # Production CSP
             # Using hash for inline script instead of 'unsafe-inline'
-            Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'sha256-HlD9D/WlEaVKKAvDnldsXkj/nllO8aCRBvtofUTEnGQ='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss://*.zxcoder.org https://*.zxcoder.org; worker-src 'self' blob:; child-src 'self' blob:; frame-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
+            Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'sha256-HlD9D/WlEaVKKAvDnldsXkj/nllO8aCRBvtofUTEnGQ='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss://*.zxcoder.org https://*.zxcoder.org; worker-src 'self' blob:; child-src 'self' blob:; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content"
 
             # CSP Report endpoint (optional - set up monitoring)
             # Report-To "{\"group\":\"csp-endpoint\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"https://your-report-collector.example.com/csp-reports\"}]}"
diff --git a/apps/web/public/index.html b/apps/web/public/index.html
@@ -23,6 +23,7 @@
     <meta name="twitter:title" content="Code . ZX Play">
     <meta name="twitter:description" content="A ZX Spectrum emulator & programming environment for the browser.">
     <meta name="twitter:image" content="/assets/images/embed-preview.png">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'sha256-HlD9D/WlEaVKKAvDnldsXkj/nllO8aCRBvtofUTEnGQ='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss://*.zxcoder.org https://*.zxcoder.org; worker-src 'self' blob:; child-src 'self' blob:; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action 'self'">
     <link rel="stylesheet" type="text/css" href="/style.css?ver=<%= buildVersion %>">
 </head>
 <body>
