From aae6e43fccada4883bd2630a2c33666d3461f08e Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@archlinux.org>
Date: Sun, 24 Feb 2019 17:14:17 +0100
Subject: Add base-uri and frame-ancestors to CSP

The archweb website contains no <base> elements so this can be
disallowed. Also set frame-ancestors is set to the same value as
X-Frame-Options.

Signed-off-by: Jelle van der Waa <jelle@archlinux.org>
---
 settings.py | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'settings.py')

diff --git a/settings.py b/settings.py
index 17377c25..8d06b326 100644
--- a/settings.py
+++ b/settings.py
@@ -98,6 +98,8 @@ CSP_DEFAULT_SRC = ("'self'",)
 CSP_SCRIPT_SRC = ("'self'",)
 CSP_INCLUDE_NONCE_IN = ['script-src']
 CSP_IMG_SRC = ("'self'", 'data:',)
+CSP_BASE_URI = ("'none'",)
+CSP_FRAME_ANCESTORS = ("'none'",)
 
 # Use new test runner
 TEST_RUNNER = 'django.test.runner.DiscoverRunner'
-- 
cgit v1.2.3-55-g3dc8