shithub: puzzles

Download patch

ref: 667ce177294e0b4c4331c2af2bdc96ee9631fbf2
parent: eb366cb6c6c0dd23be392afaa280e97d4b9d966c
author: Ben Harris <[email protected]>
date: Sat Jan 21 08:23:38 EST 2023

Add a content security policy for the KaiOS app

This is for defence in depth against security holes either in Puzzles or
in the KaiAds API.  I haven't found any documentation of what KaiAds'
CSP requirements are, but allowing scripts and frames from *.kaiads.com
seems to be enough to let the test adverts work.

--- a/kaios/manifest.pl
+++ b/kaios/manifest.pl
@@ -66,5 +66,10 @@
             description => "Required to display advertisements"
         },
     },
+    csp => "default-src 'self';
+            script-src  'self' https://*.kaiads.com;
+            style-src   'self' 'unsafe-inline';
+            frame-src   'self' https://*.kaiads.com;
+            img-src     'self' data:;"               =~ s/\s+/ /gr,
     $decvers ? (version => $decvers) : (),
 })