Merge pull request from GHSA-2hfj-cxw7-g45p

router/middleware/disableFloc.go

@@ -1,8 +0,0 @@
-package middleware
-
-import "net/http"
-
-// DisableFloc will tell Google to not use this response in their FLoC tracking.
-func DisableFloc(w http.ResponseWriter) {
-	w.Header().Set("Permissions-Policy", "interest-cohort=()")
-}

router/middleware/headers.go

@@ -0,0 +1,19 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+)
+
+// SetHeaders will set our global headers for web resources.
+func SetHeaders(w http.ResponseWriter) {
+	// Tell Google to not use this response in their FLoC tracking.
+	w.Header().Set("Permissions-Policy", "interest-cohort=()")
+
+	// Content security policy
+	csp := []string{
+		"script-src 'self' 'sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY='",
+		"worker-src 'self' blob:", // No single quotes around blob:
+	}
+	w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
+}