From 5f9cc97defe207f6357c22030f3a828a83e70418 Mon Sep 17 00:00:00 2001
From: bert hubert <bert@hubertnet.nl>
Date: Sat, 20 Jan 2024 11:10:15 +0100
Subject: [PATCH] also prevent iframes in svg, thanks Hidde van Ulsen

---
 serv.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/serv.cc b/serv.cc
index eee519a..ff641f6 100644
--- a/serv.cc
+++ b/serv.cc
@@ -234,7 +234,7 @@ int trifectaMain(int argc, const char**argv)
 
     cr.log({{"action", "view"}, {"imageId", imgid}});
     // this is needed for SVG which can contain embedded JavaScript (yes)
-    cr.res.set_header("Content-Security-Policy", "script-src 'none';");
+    cr.res.set_header("Content-Security-Policy", "script-src 'none'; frame-src 'none';");
     return make_pair(s, get<string>(results[0]["content_type"]));
   });