Merge pull request #18 from markdumay/npm

Improve security headers

netlify.toml

@@ -20,20 +20,18 @@
         X-Content-Type-Options = "nosniff"
         X-XSS-Protection = "1; mode=block"
         Content-Security-Policy = """\
-            base-uri 'self'; \
-            child-src https://utteranc.es; \
             default-src 'self'; \
-            font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com; \
-            form-action 'self'; \
-            img-src 'self'; \
+            script-src 'report-sample' 'self' https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js https://utteranc.es/client.js; \
+            style-src 'report-sample' 'self' https://fonts.googleapis.com; \
             object-src 'none'; \
-            script-src 'report-sample' 'self' \
-                https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js \
-                https://cdn.jsdelivr.net/npm/flexsearch@0.7.21/dist/flexsearch.bundle.js \
-                https://utteranc.es/client.js; \
-            style-src 'report-sample' 'self' \
-                https://fonts.googleapis.com \
-                https://cdn.jsdelivr.net/npm/flexsearch@0.7.21/dist/flexsearch.bundle.js \
+            base-uri 'self'; \
+            connect-src 'self'; \
+            font-src 'self' https://fonts.gstatic.com; \
+            frame-src 'self' https://utteranc.es; \
+            img-src 'self'; \
+            manifest-src 'self'; \
+            media-src 'self'; \
+            worker-src 'none'; \
             """
         X-Frame-Options = "SAMEORIGIN"
         Referrer-Policy = "strict-origin"