web: serveFile: also serve a CSP putting served HTML in its own origin

This commit is contained in:
Pierre Bourdon 2024-04-21 16:14:24 +02:00 committed by Janne Heß
parent 8b48579593
commit b72528be50
No known key found for this signature in database

View file

@ -234,6 +234,9 @@ sub serveFile {
}
elsif ($ls->{type} eq "regular") {
# Have the hosted data considered its own origin to avoid being a giant
# XSS hole.
$c->response->header('Content-Security-Policy' => 'sandbox allow-scripts');
$c->stash->{'plain'} = { data => grab(cmd => ["nix", "--experimental-features", "nix-command",
"store", "cat", "--store", getStoreUri(), "$path"]) };