Add base-uri and frame-ancestors to CSP

The archweb website contains no <base> elements so this can be disallowed. Also set frame-ancestors is set to the same value as X-Frame-Options. Signed-off-by: Jelle van der Waa <jelle@archlinux.org>
2019-02-24 17:14:17 +01:00 · 2019-02-24 17:14:17 +01:00 · aae6e43fcc
commit aae6e43fcc
parent b737f2b4c3
1 changed files with 2 additions and 0 deletions
--- a/settings.py
+++ b/settings.py
@ -98,6 +98,8 @@
 CSP_SCRIPT_SRC = ("'self'",)
 CSP_INCLUDE_NONCE_IN = ['script-src']
 CSP_IMG_SRC = ("'self'", 'data:',)
+CSP_BASE_URI = ("'none'",)
+CSP_FRAME_ANCESTORS = ("'none'",)

 # Use new test runner
 TEST_RUNNER = 'django.test.runner.DiscoverRunner'