From 732199332e6d5669545a4970501a2a06a3497299 Mon Sep 17 00:00:00 2001
From: wukko <me@wukko.me>
Date: Wed, 18 Sep 2024 19:06:46 +0600
Subject: [PATCH] web/headers: fix CSP directives & refactor

---
 web/src/routes/_headers/+server.ts | 29 +++++++++++++++++++++++------
 1 file changed, 23 insertions(+), 6 deletions(-)

diff --git a/web/src/routes/_headers/+server.ts b/web/src/routes/_headers/+server.ts
index 2cbf4e88..f8b3c81d 100644
--- a/web/src/routes/_headers/+server.ts
+++ b/web/src/routes/_headers/+server.ts
@@ -1,15 +1,32 @@
+import env from "$lib/env";
+
 export async function GET() {
-    const CSP = [
-        "default-src 'none'",
-        "script-src 'self' challenges.cloudflare.com",
-        "frame-src challenges.cloudflare.com",
-    ]
+    const CSP = {
+        "connect-src": ["*"],
+        "default-src": ["'none'"],
+
+        "font-src": ["'self'"],
+        "style-src": ["'self'"],
+        "img-src": ["'self'"],
+        "manifest-src": ["'self'"],
+        "worker-src": ["'self'"],
+
+        "script-src": [
+            "'self'",
+            "challenges.cloudflare.com",
+            env.PLAUSIBLE_HOST ? env.PLAUSIBLE_HOST : ""
+        ],
+        "frame-src": ["challenges.cloudflare.com"],
+    }
 
     const _headers = {
         "/*": {
             "Cross-Origin-Opener-Policy": "same-origin",
             "Cross-Origin-Embedder-Policy": "require-corp",
-            "Content-Security-Policy": CSP.join("; "),
+            "Content-Security-Policy":
+                Object.entries(CSP).map(
+                    ([directive, values]) => `${directive} ${values.join(' ')}`
+                ).flat().join("; "),
         }
     }