also prevent iframes in svg, thanks Hidde van Ulsen

berthubert · Jan 20, 2024 · 5f9cc97 · 5f9cc97
1 parent 4d42dff
commit 5f9cc97
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/serv.cc b/serv.cc
@@ -234,7 +234,7 @@ int trifectaMain(int argc, const char**argv)
 
     cr.log({{"action", "view"}, {"imageId", imgid}});
     // this is needed for SVG which can contain embedded JavaScript (yes)
-    cr.res.set_header("Content-Security-Policy", "script-src 'none';");
+    cr.res.set_header("Content-Security-Policy", "script-src 'none'; frame-src 'none';");
     return make_pair(s, get<string>(results[0]["content_type"]));
   });