web: generate _headers & add Content-Security-Policy header

2024-11-15 12:50:01 +00:00 · 2024-09-18 18:44:24 +06:00 · 2024-09-18 18:44:24 +06:00 · 97977efabd
commit 97977efabd
parent d1686be583
2 changed files with 28 additions and 3 deletions
--- a/web/src/routes/_headers/+server.ts
+++ b/web/src/routes/_headers/+server.ts
@ -0,0 +1,28 @@
+export async function GET() {
+    const CSP = [
+        "default-src 'none'",
+        "script-src 'self' challenges.cloudflare.com",
+        "frame-src challenges.cloudflare.com",
+    ]
+
+    const _headers = {
+        "/*": {
+            "Cross-Origin-Opener-Policy": "same-origin",
+            "Cross-Origin-Embedder-Policy": "require-corp",
+            "Content-Security-Policy": CSP.join("; "),
+        }
+    }
+
+    return new Response(
+        Object.entries(_headers).map(
+            ([path, headers]) => [
+                path,
+                Object.entries(headers).map(
+                    ([key, value]) => `    ${key}: ${value}`
+                )
+            ].flat().join("\n")
+        ).join("\n\n")
+    );
+}
+
+export const prerender = true;
--- a/web/static/_headers
+++ b/web/static/_headers
@ -1,3 +0,0 @@
-/*
-    Cross-Origin-Opener-Policy: same-origin
-    Cross-Origin-Embedder-Policy: require-corp