From e7af87fab1eb66a471465ac38752d050f32d820c Mon Sep 17 00:00:00 2001
From: Guus der Kinderen <guus.der.kinderen@gmail.com>
Date: Fri, 19 Jan 2024 16:04:10 +0100
Subject: [PATCH] fix #46: Add Content-Security-Policy header

The added Content-Security-Policy header instructs browsers to not execute scripts that are served by the servlet.

It does so by defining an empty collection of valid sources for scripts.
---
 src/main/java/nl/goodbytes/xmpp/xep0363/Servlet.java | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/main/java/nl/goodbytes/xmpp/xep0363/Servlet.java b/src/main/java/nl/goodbytes/xmpp/xep0363/Servlet.java
index 98bae6e..c1865ee 100644
--- a/src/main/java/nl/goodbytes/xmpp/xep0363/Servlet.java
+++ b/src/main/java/nl/goodbytes/xmpp/xep0363/Servlet.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017-2023 Guus der Kinderen. All rights reserved.
+ * Copyright (c) 2017-2024 Guus der Kinderen. All rights reserved.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -75,6 +75,7 @@ protected void service( HttpServletRequest request, HttpServletResponse response
             response.setHeader("Access-Control-Allow-Methods", "PUT, GET, HEAD, OPTIONS");
             response.setHeader("Access-Control-Allow-Headers", "Overwrite, Destination, Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control");
         }
+        response.setHeader("Content-Security-Policy", "script-src ;");
         super.service(request, response);
     }