From 36835b3cfc737e5f8d07da7c2e3490aaf77dd8b1 Mon Sep 17 00:00:00 2001
From: Niko PLP <niko@nextgraph.org>
Date: Sat, 19 Aug 2023 05:46:05 +0300
Subject: [PATCH] fix csp for ngaccount

---
 ngaccount/README.md   |  1 +
 ngaccount/src/main.rs | 14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/ngaccount/README.md b/ngaccount/README.md
index 5a2368b..2154e59 100644
--- a/ngaccount/README.md
+++ b/ngaccount/README.md
@@ -26,6 +26,7 @@ cargo watch -c -w src -x run
 
 ```
 cd web
+export NG_ACCOUNT_DOMAIN=[domain name]
 pnpm run build
 cd ..
 cargo build --release
diff --git a/ngaccount/src/main.rs b/ngaccount/src/main.rs
index 0b0d119..addfa06 100644
--- a/ngaccount/src/main.rs
+++ b/ngaccount/src/main.rs
@@ -17,6 +17,7 @@ use p2p_net::actors::add_invitation::*;
 use p2p_net::broker::BROKER;
 use p2p_repo::store::StorageError;
 use serde::{Deserialize, Serialize};
+use warp::http::header::{HeaderMap, HeaderValue};
 use warp::reply::Response;
 use warp::{Filter, Reply};
 
@@ -254,7 +255,18 @@ async fn main() -> anyhow::Result<()> {
 
     let api_v1 = warp::path!("api" / "v1" / ..).and(register_api);
 
-    let static_files = warp::get().and(warp_embed::embed(&Static)).boxed();
+    let mut headers = HeaderMap::new();
+    headers.insert(
+        "Content-Security-Policy",
+        HeaderValue::from_static(
+            "default-src 'self' data:; connect-src ipc: https://ipc.localhost",
+        ),
+    );
+
+    let static_files = warp::get()
+        .and(warp_embed::embed(&Static))
+        .with(warp::reply::with::headers(headers))
+        .boxed();
 
     let mut cors = warp::cors()
         .allow_methods(vec!["GET"])