don't allow unsafe styles in CSP

2025-07-03 17:26:37 -04:00 · 2019-04-01 15:02:46 -04:00
parent b698308d23
commit 4973b993ea
3 changed files with 43 additions and 40 deletions
--- a/static/404.html
+++ b/static/404.html
@ -4,45 +4,9 @@
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Page Not Found</title>
-    <style media="screen">
-      body {
-        background: #efefef;
-        color: #5f5f5f;
-        font-family: Helvetica, Arial, sans-serif;
-        margin: 0;
-        padding: 0;
-      }
-      #message {
-        background: #ffffff;
-        max-width: 400px;
-        margin: 100px auto 16px;
-        padding: 16px 32px;
-        border-radius: 4px;
-        box-shadow: 0 1px 3px #e0e0e0, 0 1px 2px #888888;
-      }
-      #message h1 {
-        margin: 16px 0;
-        font-size: 22px;
-        font-weight: 300;
-      }
-      #message p {
-        margin: 16px 0;
-        font-size: 14px;
-        line-height: 140%;
-      }
-      #message a {
-        color: #039be5;
-      }
-      @media (max-width: 600px) {
-        body, #message {
-          background: #ffffff;
-          margin-top: 16px;
-          box-shadow: none;
-        }
-      }
-    </style>
+    <link rel="stylesheet" href="/style.css">
  </head>
-  <body>
+  <body id="error">
    <div id="message">
      <h1>Well, this is embarassing... &#x1F633;</h1>
      <p>The specified file was not found on this website. Please check the URL for mistakes and try again, or <a href="https://jarv.is/">go home</a>.</p>
--- a/static/style.css
+++ b/static/style.css
@ -462,7 +462,7 @@ body#home h1 span#wave {



-/*! Blog CSS */
+/*! Blog Styles */

 body#notes {
  font-size: 18px;
@ -753,3 +753,42 @@ body#notes div#archive div.year div.title {
  width: 620px;
 }

+
+
+/*! Error Styles */
+
+body#error {
+  background: #efefef;
+  color: #5f5f5f;
+  font-family: Helvetica, Arial, sans-serif;
+  margin: 0;
+  padding: 0;
+}
+body#error div#message {
+  background: #ffffff;
+  max-width: 400px;
+  margin: 100px auto 16px;
+  padding: 16px 32px;
+  border-radius: 4px;
+  box-shadow: 0 1px 3px #e0e0e0, 0 1px 2px #888888;
+}
+body#error div#message h1 {
+  margin: 16px 0;
+  font-size: 22px;
+  font-weight: 300;
+}
+body#error div#message p {
+  margin: 16px 0;
+  font-size: 14px;
+  line-height: 140%;
+}
+body#error div#message a {
+  color: #039be5;
+}
+@media (max-width: 600px) {
+  body#error, body#error div#message {
+    background: #ffffff;
+    margin-top: 16px;
+    box-shadow: none;
+  }
+}
--- a/worker.js
+++ b/worker.js
@ -1,5 +1,5 @@
 let newHeaders = {
-  "Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self' www.youtube.com; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
+  "Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self' www.youtube.com; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default",
  "Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}",
  "NEL": "{\"report_to\":\"default\",\"max_age\":604800}",
 //  "Strict-Transport-Security" : "max-age=1000",