Strengthen Content-Security-Policy header

[SineSwiper]

Requirements

• [X] This is a bug report, and if not, please post to https://lemmy.ml/c/lemmy_support instead.
• [X] Please check to see if this issue already exists.
• [X] It's a single bug. Do not report multiple bugs in one issue.
• [X] It's a frontend issue, not a backend issue; Otherwise please create an issue on the backend repo instead.

Summary

Issue #1641 introduced some unsafe content security policies. It appears unsafe-eval has been removed, but unsafe-inline still exists. (Although, unsafe-eval hasn't been specifically blocked...) As reported in issue #83, this breaks recommendations by Mozilla Observatory.

There are a ton of other bad practices that need to be fixed with the CSP. Fixing these gives us a layer of protection from future XSS attacks.

Steps to Reproduce

1. Load web page and inspect Content-Security-Policy headers
2. Inspect line of code that adds property
3. Read Mozilla Observatory report

Technical Details

Any

Lemmy Instance Version

0.18.1

Lemmy Instance URL

https://observatory.mozilla.org/analyze/lemmy.world

[sunaurus]

FYI unsafe-inline for scripts was already removed in 0.18.2.

The current rating for 0.18.2 on that observatory website is A+: https://observatory.mozilla.org/analyze/lemm.ee

Some things can still be improved, most notably unsafe-inline for style-src can be abused to deface websites: