web: generate _headers & add Content-Security-Policy header

web/src/routes/_headers/+server.ts

@@ -0,0 +1,28 @@
+export async function GET() {
+    const CSP = [
+        "default-src 'none'",
+        "script-src 'self' challenges.cloudflare.com",
+        "frame-src challenges.cloudflare.com",
+    ]
+
+    const _headers = {
+        "/*": {
+            "Cross-Origin-Opener-Policy": "same-origin",
+            "Cross-Origin-Embedder-Policy": "require-corp",
+            "Content-Security-Policy": CSP.join("; "),
+        }
+    }
+
+    return new Response(
+        Object.entries(_headers).map(
+            ([path, headers]) => [
+                path,
+                Object.entries(headers).map(
+                    ([key, value]) => `    ${key}: ${value}`
+                )
+            ].flat().join("\n")
+        ).join("\n\n")
+    );
+}
+
+export const prerender = true;

web/static/_headers

@@ -1,3 +0,0 @@
-/*
-    Cross-Origin-Opener-Policy: same-origin
-    Cross-Origin-Embedder-Policy: require-corp