X-Git-Url: https://code.wpia.club/?a=blobdiff_plain;f=src%2Forg%2Fcacert%2Fgigi%2FGigi.java;h=78c3373e16a9c12d0f43abdf5ac5f0ba827c83eb;hb=5587d66ad8b14e851e07eb4ff214e2dc49c7c57e;hp=4b6b382699702b775cd25dd3e390f85495772015;hpb=8fd2b8c84b2547f532a84f38750dbed4b0503a3b;p=gigi.git

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index 4b6b3826..78c3373e 100644
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -146,13 +146,35 @@ public class Gigi extends HttpServlet {
 	}
 
 	public static void addXSSHeaders(HttpServletResponse hsr) {
-		hsr.addHeader("Access-Control-Allow-Origin",
-				"http://cacert.org https://localhost");
+		hsr.addHeader("Access-Control-Allow-Origin", "https://"
+				+ ServerConstants.getWwwHostNamePort() + " https://"
+				+ ServerConstants.getSecureHostNamePort());
 		hsr.addHeader("Access-Control-Max-Age", "60");
-		hsr.addHeader("Content-Security-Policy", "default-src 'self' https://"
-				+ ServerConstants.getStaticHostNamePort()
-				+ " https://www.cacert.org/*;frame-ancestors 'none'");
-		// ;report-uri https://felix.dogcraft.de/report.php
 
+		hsr.addHeader("Content-Security-Policy", getDefaultCSP());
+		hsr.addHeader("Strict-Transport-Security", "max-age=31536000");
+
+	}
+	private static String defaultCSP = null;
+	private static String getDefaultCSP() {
+		if (defaultCSP == null) {
+			StringBuffer csp = new StringBuffer();
+			csp.append("default-src 'none';");
+			csp.append("font-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";img-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";media-src 'none'; object-src 'none';");
+			csp.append("script-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";style-src https://"
+					+ ServerConstants.getStaticHostNamePort());
+			csp.append(";form-action https://"
+					+ ServerConstants.getSecureHostNamePort() + " https://"
+					+ ServerConstants.getWwwHostNamePort());
+			csp.append("report-url https://api.cacert.org/security/csp/report");
+			defaultCSP = csp.toString();
+		}
+		return defaultCSP;
 	}
 }