From 97977efabd92375f270d1818f38de3b0682c2f19 Mon Sep 17 00:00:00 2001
From: wukko <me@wukko.me>
Date: Wed, 18 Sep 2024 18:44:24 +0600
Subject: [PATCH] web: generate `_headers` & add `Content-Security-Policy`
 header

---
 web/src/routes/_headers/+server.ts | 28 ++++++++++++++++++++++++++++
 web/static/_headers                |  3 ---
 2 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 web/src/routes/_headers/+server.ts
 delete mode 100644 web/static/_headers

diff --git a/web/src/routes/_headers/+server.ts b/web/src/routes/_headers/+server.ts
new file mode 100644
index 00000000..2cbf4e88
--- /dev/null
+++ b/web/src/routes/_headers/+server.ts
@@ -0,0 +1,28 @@
+export async function GET() {
+    const CSP = [
+        "default-src 'none'",
+        "script-src 'self' challenges.cloudflare.com",
+        "frame-src challenges.cloudflare.com",
+    ]
+
+    const _headers = {
+        "/*": {
+            "Cross-Origin-Opener-Policy": "same-origin",
+            "Cross-Origin-Embedder-Policy": "require-corp",
+            "Content-Security-Policy": CSP.join("; "),
+        }
+    }
+
+    return new Response(
+        Object.entries(_headers).map(
+            ([path, headers]) => [
+                path,
+                Object.entries(headers).map(
+                    ([key, value]) => `    ${key}: ${value}`
+                )
+            ].flat().join("\n")
+        ).join("\n\n")
+    );
+}
+
+export const prerender = true;
diff --git a/web/static/_headers b/web/static/_headers
deleted file mode 100644
index cabbdca5..00000000
--- a/web/static/_headers
+++ /dev/null
@@ -1,3 +0,0 @@
-/*
-    Cross-Origin-Opener-Policy: same-origin
-    Cross-Origin-Embedder-Policy: require-corp