commit a3bb069cae1d67d72282b30645ce5fd84a7611bb
from: Omar Polo <op@omarpolo.com>
date: Thu Sep 14 15:43:29 2023 UTC

msearchd: add a strict Content-Security-Policy

reminded by bentley@, thanks!

commit - 60046b7c7f322a82ccc5c448a9738d5a2f39a64e
commit + a3bb069cae1d67d72282b30645ce5fd84a7611bb
blob - 843b633e7a02b2e18bb16c2bf1bc2718f79cc063
blob + 77fe2630969c6a22b9d8da5c452301249272cfe7
--- msearchd/server.c
+++ msearchd/server.c
@@ -159,10 +159,17 @@ server_shutdown(struct env *env)
 int
 server_reply(struct client *clt, int status, const char *arg)
 {
+	const char	*cps;
+
 	if (status != 200 &&
 	    clt_printf(clt, "Status: %d\r\n", status) == -1)
 		return (-1);
 
+	cps = "Content-Security-Policy: default-src 'self'; "
+	    "script-src 'none'; object-src 'none';\r\n";
+	if (clt_puts(clt, cps) == -1)
+		return (-1);
+
 	if (status == 302) {
 		if (clt_printf(clt, "Location: %s\r\n", arg) == -1)
 			return (-1);