From 732217ccea82e849a8d2404368eb5a77c8df1ab9 Mon Sep 17 00:00:00 2001
From: daudix <ddaudix@gmail.com>
Date: Fri, 18 Oct 2024 20:30:23 +0300
Subject: [PATCH] Append comments host in CSP

---
 config.toml                 | 6 +++---
 templates/partials/csp.html | 6 ++++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/config.toml b/config.toml
index 2240002..d99ee4c 100644
--- a/config.toml
+++ b/config.toml
@@ -169,9 +169,9 @@ csp = [
 	{ directive = "style-src", domains = ["'self'", "'unsafe-inline'"] },
 	{ directive = "frame-src", domains = ["https://player.vimeo.com", "https://www.youtube-nocookie.com", "https://toot.community"] },
 	{ directive = "connect-src", domains = ["https://toot.community"] },
-	{ directive = "frame-ancestors", domains = ["'self'"] },
-	{ directive = "base-uri", domains = ["'self'"] },
-	{ directive = "form-action", domains = ["'self'"] },
+	{ directive = "frame-ancestors", domains = ["'none'"] },
+	{ directive = "base-uri", domains = ["'none'"] },
+	{ directive = "form-action", domains = ["'none'"] },
 	{ directive = "require-trusted-types-for", domains = ["'script'"] },
 ]
 # Display outlines around all elements for debugging purposes
diff --git a/templates/partials/csp.html b/templates/partials/csp.html
index dc7ce6c..bb6ff7e 100644
--- a/templates/partials/csp.html
+++ b/templates/partials/csp.html
@@ -18,6 +18,12 @@ content="default-src 'none';
 		{%- set connect_src = connect_src ~ " " ~ goatcounter_url -%}
 	{%- endif %}
 
+
+	{#- Append comments host if present -#}
+	{%- if config.extra.comments -%}
+		{%- set connect_src = connect_src ~ " " ~ "https://" ~ config.extra.comments.host -%}
+	{%- endif -%}
+
 	{#- Append WebSocket for Zola serve mode -#}
 	{%- if config.mode == "serve" -%}
 		{%- set connect_src = connect_src ~ " ws:" -%}