@startup-api/cloudflare 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -304,10 +304,12 @@ export class AtprotoProvider extends OAuthProvider {
|
|
|
304
304
|
status,
|
|
305
305
|
headers: {
|
|
306
306
|
'Content-Type': 'text/html; charset=utf-8',
|
|
307
|
-
//
|
|
308
|
-
//
|
|
309
|
-
|
|
310
|
-
|
|
307
|
+
// Hardening: same-origin styles only, never framed, never cached (the form reflects the
|
|
308
|
+
// user-supplied handle). NOTE: deliberately NO `form-action` directive — submitting this form
|
|
309
|
+
// hits our endpoint, which 302-redirects to the user's *own* authorization server (any PDS).
|
|
310
|
+
// `form-action` is enforced across the whole redirect chain, so `'self'` (or any fixed list)
|
|
311
|
+
// would block that cross-origin redirect and the login would silently fail.
|
|
312
|
+
'Content-Security-Policy': "default-src 'none'; style-src 'self' 'unsafe-inline'; base-uri 'none'; frame-ancestors 'none'",
|
|
311
313
|
'X-Content-Type-Options': 'nosniff',
|
|
312
314
|
'Referrer-Policy': 'no-referrer',
|
|
313
315
|
'Cache-Control': 'no-store',
|