diff --git a/_includes/head.html b/_includes/head.html index 5c6df51..80ba66f 100644 --- a/_includes/head.html +++ b/_includes/head.html @@ -21,16 +21,20 @@ stricter style-src without 'unsafe-inline' would break their layout, and a CSP that breaks styling is worse than no CSP. - X-Content-Type-Options and X-Frame-Options are deliberately NOT emitted as - meta tags: both directives are only honored by browsers when sent as real - HTTP response headers and have no effect via . Enforcing - them requires either GitHub Pages gaining header support or fronting the - site with something that can inject headers (e.g. Cloudflare Transform - Rules / a Worker). + X-Content-Type-Options, X-Frame-Options, and the CSP `frame-ancestors` + directive are deliberately NOT included here: they are only honored by + browsers when delivered as real HTTP response headers and are ignored via + (frame-ancestors logs a console warning if left in). + Enforcing them requires either GitHub Pages gaining header support or + fronting the site with something that can inject headers (e.g. Cloudflare + Transform Rules / a Worker). + + font-src allows data: because the Webflow CSS embeds an icon font as a + data:application/x-font-ttf URI. --> + content="default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; base-uri 'self'; form-action 'self'">