From 00cb702e4f915f90c77fdc76b523922726795e88 Mon Sep 17 00:00:00 2001
From: mei23 <m@m544.net>
Date: Mon, 15 Apr 2024 04:03:02 +0900
Subject: [PATCH] Add CSP to Bull Dashboard

---
 packages/backend/src/server/web/index.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/packages/backend/src/server/web/index.ts b/packages/backend/src/server/web/index.ts
index bbd5ed4632..aa1c76de7b 100644
--- a/packages/backend/src/server/web/index.ts
+++ b/packages/backend/src/server/web/index.ts
@@ -47,6 +47,16 @@ app.use(async (ctx, next) => {
 	// %71ueueとかでリクエストされたら困るため
 	const url = decodeURI(ctx.path);
 	if (url === bullBoardPath || url.startsWith(bullBoardPath + '/')) {
+		ctx.set('Content-Security-Policy',
+			`base-uri 'self'; `
+			+ `default-src 'none'; `
+			+ `script-src 'self'; `
+			+ `img-src 'self' https: data: blob:; `
+			+ `style-src 'self' 'unsafe-inline' https:; `
+			+ `font-src 'self' https:; `
+			+ `connect-src 'self' data: blob:; `
+			+ `frame-ancestors 'none'`);
+
 		if (!url.startsWith(bullBoardPath + '/static/')) {
 			ctx.set('Cache-Control', 'private, max-age=0, must-revalidate');
 		}