From 4973b993eac244c80513037836b775f050f692f6 Mon Sep 17 00:00:00 2001 From: Jake Jarvis Date: Mon, 1 Apr 2019 15:02:46 -0400 Subject: [PATCH] don't allow unsafe styles in CSP --- static/404.html | 40 ++-------------------------------------- static/style.css | 41 ++++++++++++++++++++++++++++++++++++++++- worker.js | 2 +- 3 files changed, 43 insertions(+), 40 deletions(-) diff --git a/static/404.html b/static/404.html index e257168d..e42b4215 100644 --- a/static/404.html +++ b/static/404.html @@ -4,45 +4,9 @@ Page Not Found - + - +

Well, this is embarassing... 😳

The specified file was not found on this website. Please check the URL for mistakes and try again, or go home.

diff --git a/static/style.css b/static/style.css index 9e88bf50..50e87222 100644 --- a/static/style.css +++ b/static/style.css @@ -462,7 +462,7 @@ body#home h1 span#wave { -/*! Blog CSS */ +/*! Blog Styles */ body#notes { font-size: 18px; @@ -753,3 +753,42 @@ body#notes div#archive div.year div.title { width: 620px; } + + +/*! Error Styles */ + +body#error { + background: #efefef; + color: #5f5f5f; + font-family: Helvetica, Arial, sans-serif; + margin: 0; + padding: 0; +} +body#error div#message { + background: #ffffff; + max-width: 400px; + margin: 100px auto 16px; + padding: 16px 32px; + border-radius: 4px; + box-shadow: 0 1px 3px #e0e0e0, 0 1px 2px #888888; +} +body#error div#message h1 { + margin: 16px 0; + font-size: 22px; + font-weight: 300; +} +body#error div#message p { + margin: 16px 0; + font-size: 14px; + line-height: 140%; +} +body#error div#message a { + color: #039be5; +} +@media (max-width: 600px) { + body#error, body#error div#message { + background: #ffffff; + margin-top: 16px; + box-shadow: none; + } +} \ No newline at end of file diff --git a/worker.js b/worker.js index 991f9c33..ed0fcdd8 100644 --- a/worker.js +++ b/worker.js @@ -1,5 +1,5 @@ let newHeaders = { - "Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self' www.youtube.com; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default", + "Content-Security-Policy": "default-src 'none'; script-src 'self' stats.jarv.is 'sha256-QwZM+dNl2R1KcXo8ORmpT3mqAVwIBbEcJBmWYurBNv4='; style-src 'self'; img-src 'self' data: https:; font-src 'self'; object-src 'self'; media-src 'self'; base-uri 'none'; form-action 'self'; frame-src 'self' www.youtube.com; frame-ancestors 'self'; worker-src 'none'; connect-src 'self' jarvis.report-uri.com stats.jarv.is; upgrade-insecure-requests; report-uri https://jarvis.report-uri.com/r/d/csp/enforce; report-to default", "Report-To": "{\"group\":\"default\",\"max_age\":604800,\"endpoints\":[{\"url\":\"https://jarvis.report-uri.com/a/d/g\"}]}", "NEL": "{\"report_to\":\"default\",\"max_age\":604800}", // "Strict-Transport-Security" : "max-age=1000",