mirrors/Equicord
1
1
Fork 0
mirror of https://github.com/Equicord/Equicord.git synced 2025-06-28 16:04:24 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Merge remote-tracking branch 'upstream/strict-csp' into dev2

Browse source
This commit is contained in:
thororen1234 2025-05-23 09:09:56 -04:00
commit 1a2e90e9cc
No known key found for this signature in database
1 changed files with 35 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

36
src/main/csp.ts
View file

@ -18,7 +18,41 @@ const MediaScriptsAndCssSrc = [...MediaAndCssSrc, "script-src", "worker-src"];
// script and just adding to it. But generally, you should just edit this file instead
export const CspPolicies: PolicyMap = {
"*": MediaScriptsAndCssSrc
"*.github.io": MediaAndCssSrc, // github pages, used by most themes
"raw.githubusercontent.com": MediaAndCssSrc, // github raw, used by some themes
"*.gitlab.io": MediaAndCssSrc, // gitlab pages, used by some themes
"gitlab.com": MediaAndCssSrc, // gitlab raw, used by some themes
"*.codeberg.page": MediaAndCssSrc, // codeberg pages, used by some themes
"codeberg.org": MediaAndCssSrc, // codeberg raw, used by some themes
"*.githack.com": MediaAndCssSrc, // githack (namely raw.githack.com), used by some themes
"jsdelivr.net": MediaAndCssSrc, // jsdeliver, used by very few themes
"fonts.googleapis.com": CssSrc, // google fonts, used by many themes
"i.imgur.com": MediaSrc, // imgur, used by some themes
"i.ibb.co": MediaSrc, // imgbb, used by some themes
"cdn.discordapp.com": MediaAndCssSrc, // Discord CDN, used by Vencord and some themes to load media
"media.discordapp.net": MediaSrc, // Discord media CDN, possible alternative to Discord CDN
// CDNs used for some things by Vencord.
// FIXME: we really should not be using CDNs anymore
"cdnjs.cloudflare.com": MediaScriptsAndCssSrc,
"cdn.jsdelivr.net": MediaScriptsAndCssSrc,
// Function Specific
"api.github.com": ConnectSrc, // used for updating Vencord itself
"ws.audioscrobbler.com": ConnectSrc, // last.fm API
"translate-pa.googleapis.com": ConnectSrc, // Google Translate API
"*.vencord.dev": MediaSrc, // VenCloud (api.vencord.dev) and Badges (badges.vencord.dev)
"manti.vendicated.dev": MediaSrc, // ReviewDB API
"decor.fieryflames.dev": ConnectSrc, // Decor API
"ugc.decor.fieryflames.dev": MediaSrc, // Decor CDN
"sponsor.ajay.app": ConnectSrc, // Dearrow API
"dearrow-thumb.ajay.app": MediaSrc, // Dearrow Thumbnail CDN
"usrbg.is-hardly.online": MediaSrc, // USRBG API
"icons.duckduckgo.com": MediaSrc, // DuckDuckGo Favicon API (Reverse Image Search)
};
const findHeader = (headers: PolicyMap, headerName: Lowercase<string>) => {