From 7278ce8f26a88399bf73f9f331cfafb90e296271 Mon Sep 17 00:00:00 2001
From: Gabe Kangas <gabek@real-ity.com>
Date: Mon, 30 Aug 2021 19:43:28 -0700
Subject: [PATCH] Merge pull request from GHSA-2hfj-cxw7-g45p

---
 controllers/index.go             |  4 ++--
 router/middleware/disableFloc.go |  8 --------
 router/middleware/headers.go     | 19 +++++++++++++++++++
 3 files changed, 21 insertions(+), 10 deletions(-)
 delete mode 100644 router/middleware/disableFloc.go
 create mode 100644 router/middleware/headers.go

diff --git a/controllers/index.go b/controllers/index.go
index b793c516b..ca2325a68 100644
--- a/controllers/index.go
+++ b/controllers/index.go
@@ -68,8 +68,8 @@ func IndexHandler(w http.ResponseWriter, r *http.Request) {
 	// Set a cache control max-age header
 	middleware.SetCachingHeaders(w, r)
 
-	// Opt-out of Google FLoC
-	middleware.DisableFloc(w)
+	// Set our global HTTP headers
+	middleware.SetHeaders(w)
 
 	http.ServeFile(w, r, path.Join(config.WebRoot, r.URL.Path))
 }
diff --git a/router/middleware/disableFloc.go b/router/middleware/disableFloc.go
deleted file mode 100644
index 9f6787dec..000000000
--- a/router/middleware/disableFloc.go
+++ /dev/null
@@ -1,8 +0,0 @@
-package middleware
-
-import "net/http"
-
-// DisableFloc will tell Google to not use this response in their FLoC tracking.
-func DisableFloc(w http.ResponseWriter) {
-	w.Header().Set("Permissions-Policy", "interest-cohort=()")
-}
diff --git a/router/middleware/headers.go b/router/middleware/headers.go
new file mode 100644
index 000000000..e5c4e4647
--- /dev/null
+++ b/router/middleware/headers.go
@@ -0,0 +1,19 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+)
+
+// SetHeaders will set our global headers for web resources.
+func SetHeaders(w http.ResponseWriter) {
+	// Tell Google to not use this response in their FLoC tracking.
+	w.Header().Set("Permissions-Policy", "interest-cohort=()")
+
+	// Content security policy
+	csp := []string{
+		"script-src 'self' 'sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY='",
+		"worker-src 'self' blob:", // No single quotes around blob:
+	}
+	w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
+}