From 9024418aff0bab9cd07a54492ef19bd94ecef13b Mon Sep 17 00:00:00 2001
From: wukko <me@wukko.me>
Date: Wed, 18 Sep 2024 19:12:13 +0600
Subject: [PATCH] web/headers: add more stuff to CSP again

---
 web/src/routes/_headers/+server.ts | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/web/src/routes/_headers/+server.ts b/web/src/routes/_headers/+server.ts
index f8b3c81d..96e00a8c 100644
--- a/web/src/routes/_headers/+server.ts
+++ b/web/src/routes/_headers/+server.ts
@@ -1,5 +1,11 @@
 import env from "$lib/env";
 
+const allowedScriptOrigins = [
+    "'self'",
+    "challenges.cloudflare.com",
+    env.PLAUSIBLE_HOST ? env.PLAUSIBLE_HOST : ""
+]
+
 export async function GET() {
     const CSP = {
         "connect-src": ["*"],
@@ -7,15 +13,14 @@ export async function GET() {
 
         "font-src": ["'self'"],
         "style-src": ["'self'"],
-        "img-src": ["'self'"],
+        "style-src-attr": ["'self'"],
+        "style-src-elem": ["'self'"],
+        "img-src": ["'self'", "data:"],
         "manifest-src": ["'self'"],
         "worker-src": ["'self'"],
 
-        "script-src": [
-            "'self'",
-            "challenges.cloudflare.com",
-            env.PLAUSIBLE_HOST ? env.PLAUSIBLE_HOST : ""
-        ],
+        "script-src": allowedScriptOrigins,
+        "script-src-attr": allowedScriptOrigins,
         "frame-src": ["challenges.cloudflare.com"],
     }