Update.

src/snek/system/middleware.py

@@ -1,13 +1,8 @@
 # Written by retoor@molodetz.nl
 
-# This code provides middleware functions for an aiohttp server to manage and modify CORS (Cross-Origin Resource Sharing) headers.
-
-# Imports from 'aiohttp' library are used to create middleware; they are not part of Python's standard library.
-
-# MIT License: This code is distributed under the MIT License.
+# This code provides middleware functions for an aiohttp server to manage and modify CSP, CORS, and authentication headers.
 
 import secrets
-
 from aiohttp import web
 
 @web.middleware
@@ -17,18 +12,22 @@ async def csp_middleware(request, handler):
     csp_policy = (
         "default-src 'self'; "
         f"script-src 'self' https://umami.molodetz.nl 'nonce-{nonce}'; "
-        "style-src 'self'; "
-        "img-src *; "
-        "connect-src 'self'; https://umami.molodetz.nl; 'nonce-{nonce}';"
-        "font-src 'self'; "
+        "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; "
+        "img-src 'self' data: https://umodetz.nl; "
+        "connect-src 'self' https://umodetz.nl; "
+        "font-src 'self' data:; "
         "object-src 'none'; "
         "base-uri 'self'; "
-        "form-action 'self';"
+        "form-action 'self'; "
+        "frame-src 'self'; "
+        "worker-src 'self'; "
+        "media-src 'self'; "
+        "manifest-src 'self';"
     )
     request['csp_nonce'] = nonce
     response = await handler(request)
     response.headers['Content-Security-Policy'] = csp_policy
-    return response 
+    return response
 
 @web.middleware
 async def no_cors_middleware(request, handler):
@@ -36,7 +35,6 @@ async def no_cors_middleware(request, handler):
     response.headers.pop("Access-Control-Allow-Origin", None)
     return response
 
-
 @web.middleware
 async def cors_allow_middleware(request, handler):
     response = await handler(request)
@@ -48,7 +46,6 @@ async def cors_allow_middleware(request, handler):
     response.headers["Access-Control-Allow-Credentials"] = "true"
     return response
 
-
 @web.middleware
 async def auth_middleware(request, handler):
     request["user"] = None
@@ -58,7 +55,6 @@ async def auth_middleware(request, handler):
         )
     return await handler(request)
 
-
 @web.middleware
 async def cors_middleware(request, handler):
     if request.headers.get("Allow"):