dunkirk.sh / thistle
🪻 distributed transcription service thistle.dunkirk.sh
fork atom

chore: update csp and security headers

dunkirk.sh 39544f38 8fbf640c

verified
options
unified split
Changed files
+27 -8
src
index.ts
pages
admin.html
checkout.html
class.html
classes.html
index.html
reset-password.html
settings.html
transcribe.html
+27
src/index.ts 
···

       
3439

       
3439

       
 

       
		hmr: true,


     

       
3440

       
3440

       
 

       
		console: true,


     

       
3441

       
3441

       
 

       
	},


     

       

       
3442

       
+

       
	fetch(req, server) {


     

       

       
3443

       
+

       
		const response = server.fetch(req);


     

       

       
3444

       
+

       
		


     

       

       
3445

       
+

       
		// Add security headers to all responses


     

       

       
3446

       
+

       
		if (response instanceof Response) {


     

       

       
3447

       
+

       
			const headers = new Headers(response.headers);


     

       

       
3448

       
+

       
			headers.set("Permissions-Policy", "interest-cohort=()");


     

       

       
3449

       
+

       
			headers.set("X-Content-Type-Options", "nosniff");


     

       

       
3450

       
+

       
			headers.set("X-Frame-Options", "DENY");


     

       

       
3451

       
+

       
			headers.set("Referrer-Policy", "strict-origin-when-cross-origin");


     

       

       
3452

       
+

       
			


     

       

       
3453

       
+

       
			// Set CSP that allows inline styles with unsafe-inline (needed for Lit components)


     

       

       
3454

       
+

       
			// and script-src 'self' for bundled scripts


     

       

       
3455

       
+

       
			headers.set(


     

       

       
3456

       
+

       
				"Content-Security-Policy",


     

       

       
3457

       
+

       
				"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none';"


     

       

       
3458

       
+

       
			);


     

       

       
3459

       
+

       
			


     

       

       
3460

       
+

       
			return new Response(response.body, {


     

       

       
3461

       
+

       
				status: response.status,


     

       

       
3462

       
+

       
				statusText: response.statusText,


     

       

       
3463

       
+

       
				headers,


     

       

       
3464

       
+

       
			});


     

       

       
3465

       
+

       
		}


     

       

       
3466

       
+

       
		


     

       

       
3467

       
+

       
		return response;


     

       

       
3468

       
+

       
	},


     

       
3442

       
3469

       
 

       
});


     

       
3443

       
3470

       
 

       
console.log(`🪻 Thistle running at http://localhost:${server.port}`);


     

       
3444

       
3471
-1
src/pages/admin.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
  <meta charset="UTF-8">


     

       
6

       
6

       
 

       
  <meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
  <title>Admin - Thistle</title>


     

       
9

       
8

       
 

       
  <link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
  <link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/checkout.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
	<meta charset="UTF-8">


     

       
6

       
6

       
 

       
	<meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
	<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
	<title>Success! - Thistle</title>


     

       
9

       
8

       
 

       
	<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
	<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/class.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
  <meta charset="UTF-8">


     

       
6

       
6

       
 

       
  <meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
  <title>Class - Thistle</title>


     

       
9

       
8

       
 

       
  <link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
  <link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/classes.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
  <meta charset="UTF-8">


     

       
6

       
6

       
 

       
  <meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
  <title>Classes - Thistle</title>


     

       
9

       
8

       
 

       
  <link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
  <link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/index.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
  <meta charset="UTF-8">


     

       
6

       
6

       
 

       
  <meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
  <title>Thistle</title>


     

       
9

       
8

       
 

       
  <link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
  <link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/reset-password.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
  <meta charset="UTF-8">


     

       
6

       
6

       
 

       
  <meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
  <title>Reset Password - Thistle</title>


     

       
9

       
8

       
 

       
  <link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
  <link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/settings.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
	<meta charset="UTF-8">


     

       
6

       
6

       
 

       
	<meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
	<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
	<title>Settings - Thistle</title>


     

       
9

       
8

       
 

       
	<link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
	<link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">
-1
src/pages/transcribe.html 
···

       
4

       
4

       
 

       
<head>


     

       
5

       
5

       
 

       
  <meta charset="UTF-8">


     

       
6

       
6

       
 

       
  <meta name="viewport" content="width=device-width, initial-scale=1.0">


     

       
7

       

       
-

       
  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data: https://hostedboringavatars.vercel.app; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; object-src 'none'">


     

       
8

       
7

       
 

       
  <title>Transcribe - Thistle</title>


     

       
9

       
8

       
 

       
  <link rel="apple-touch-icon" sizes="180x180" href="../../public/favicon/apple-touch-icon.png">


     

       
10

       
9

       
 

       
  <link rel="icon" type="image/png" sizes="32x32" href="../../public/favicon/favicon-32x32.png">