From ee5e06cd0cd7454f465113a8de1bce692a6a9e2f Mon Sep 17 00:00:00 2001
From: FrancescoUK <daN4cat@users.noreply.github.com>
Date: Wed, 6 Oct 2021 14:35:41 +0100
Subject: [PATCH] Fix CSP rules (and tested)

---
 public/.htaccess | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/public/.htaccess b/public/.htaccess
index be5cd6fb5..256201c31 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -26,8 +26,11 @@ Options +ExecCGI +Includes +IncludesNOEXEC +SymLinksIfOwnerMatch -Indexes
 
 <IfModule mod_headers.c>
   Header always set X-Frame-Options "SAMEORIGIN"
-  Header add Content-Security-Policy "script-src 'unsafe-inline'"
-  Header add Content-Security-Policy "font-src 'self', '*googleapis.com'"
+  Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'"
+  Header add Content-Security-Policy "style-src 'self' 'unsafe-inline' fonts.googleapis.com"
+  Header add Content-Security-Policy "font-src 'self' fonts.googleapis.com fonts.gstatic.com"
+  Header add Content-Security-Policy "object-src 'none'"
+  Header add Content-Security-Policy "form-action 'self'"
   Header set X-Content-Type-Options "nosniff"
   Header set X-XSS-Protection "1; mode=block"
   Header set X-Frame-Options "DENY"