ref: 667ce177294e0b4c4331c2af2bdc96ee9631fbf2
parent: eb366cb6c6c0dd23be392afaa280e97d4b9d966c
author: Ben Harris <[email protected]>
date: Sat Jan 21 08:23:38 EST 2023
Add a content security policy for the KaiOS app This is for defence in depth against security holes either in Puzzles or in the KaiAds API. I haven't found any documentation of what KaiAds' CSP requirements are, but allowing scripts and frames from *.kaiads.com seems to be enough to let the test adverts work.
--- a/kaios/manifest.pl
+++ b/kaios/manifest.pl
@@ -66,5 +66,10 @@
description => "Required to display advertisements"
},
},
+ csp => "default-src 'self';
+ script-src 'self' https://*.kaiads.com;
+ style-src 'self' 'unsafe-inline';
+ frame-src 'self' https://*.kaiads.com;
+ img-src 'self' data:;" =~ s/\s+/ /gr,
$decvers ? (version => $decvers) : (),
})