From 844e60df3037ebc462f9c00299e6b3f1781be4ac Mon Sep 17 00:00:00 2001
From: trisua <me@trisua.com>
Date: Sun, 15 Jun 2025 23:52:33 -0400
Subject: [PATCH] add: serve csp through header

---
 crates/app/src/main.rs               | 8 ++++----
 crates/app/src/public/html/root.lisp | 1 -
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/crates/app/src/main.rs b/crates/app/src/main.rs
index 09ea802..152cde1 100644
--- a/crates/app/src/main.rs
+++ b/crates/app/src/main.rs
@@ -119,10 +119,10 @@ async fn main() {
                 .make_span_with(trace::DefaultMakeSpan::new().level(Level::INFO))
                 .on_response(trace::DefaultOnResponse::new().level(Level::INFO)),
         )
-        // .layer(SetResponseHeaderLayer::if_not_present(
-        //     HeaderName::from_static("X-Frame-Options"),
-        //     HeaderValue::from_static("SAMEORIGIN"),
-        // ))
+        .layer(SetResponseHeaderLayer::if_not_present(
+            HeaderName::from_static("content-security-policy"),
+            HeaderValue::from_static("default-src 'self' blob: *.spotify.com musicbrainz.org; frame-ancestors 'self'; img-src * data:; media-src *; font-src *; style-src 'unsafe-inline' 'self' blob: *; script-src 'self' 'unsafe-inline' blob: *; object-src 'self' blob: *; upgrade-insecure-requests; connect-src * localhost; frame-src 'self' blob: data: *"),
+        ))
         .layer(CatchPanicLayer::new());
 
     let listener = tokio::net::TcpListener::bind(format!("0.0.0.0:{}", config.port))
diff --git a/crates/app/src/public/html/root.lisp b/crates/app/src/public/html/root.lisp
index c7867b1..356e86a 100644
--- a/crates/app/src/public/html/root.lisp
+++ b/crates/app/src/public/html/root.lisp
@@ -7,7 +7,6 @@
         (meta ("charset" "UTF-8"))
         (meta ("name" "viewport") ("content" "width=device-width, initial-scale=1.0"))
         (meta ("http-equiv" "X-UA-Compatible") ("content" "ie=edge"))
-        (meta ("http-equiv" "content-security-policy") ("content" "default-src 'self' blob: *.spotify.com musicbrainz.org; img-src * data:; media-src *; font-src *; style-src 'unsafe-inline' 'self' blob: *; script-src 'self' 'unsafe-inline' blob: *; object-src 'self' blob: *; upgrade-insecure-requests; connect-src * localhost; frame-src 'self' blob: data: *"))
 
         (link ("rel" "icon") ("href" "/public/favicon.svg"))
         (link ("rel" "stylesheet") ("href" "/css/style.css"))