Commit a078b34
Apply Fresh 2's csp middleware globally with project img-src extension
Replaces the per-route useCSP() hook (deleted alongside utils/csp.ts
in the previous commit) with the Fresh 2 built-in `csp` middleware
applied at the App level. This is strictly more secure than the
Fresh 1 setup: CSP now applies to every route, not just the three
deletion/account pages that explicitly opted in.
Configuration:
- `useNonce: true` swaps the default 'unsafe-inline' allowance for
per-request nonces that Fresh auto-injects into the inline
scripts/styles it emits during render.
- The single override extends `img-src` to permit `avatars.github
usercontent.com` (OAuth-provided GitHub avatars) and
`www.gravatar.com` (developer profile avatars). The Fresh 2
defaults cover everything else: default-src 'self', script/style
via nonces, frame-ancestors 'none', base-uri 'self', form-action
'self', upgrade-insecure-requests, etc.
Tests unchanged (11 pass, e2e still ignored pending build-cache test
harness — tracked separately).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>1 parent 0bf7612 commit a078b34
1 file changed
Lines changed: 19 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | | - | |
| 1 | + | |
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
7 | 25 | | |
8 | 26 | | |
9 | 27 | | |
| |||
0 commit comments