From 667ce177294e0b4c4331c2af2bdc96ee9631fbf2 Mon Sep 17 00:00:00 2001
From: Ben Harris <bjh21@bjh21.me.uk>
Date: Sat, 21 Jan 2023 13:23:38 +0000
Subject: [PATCH] Add a content security policy for the KaiOS app

This is for defence in depth against security holes either in Puzzles or
in the KaiAds API.  I haven't found any documentation of what KaiAds'
CSP requirements are, but allowing scripts and frames from *.kaiads.com
seems to be enough to let the test adverts work.
---
 kaios/manifest.pl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/kaios/manifest.pl b/kaios/manifest.pl
index 838ff3e..94c57ad 100755
--- a/kaios/manifest.pl
+++ b/kaios/manifest.pl
@@ -66,5 +66,10 @@ print JSON::PP->new->canonical->encode({
             description => "Required to display advertisements"
         },
     },
+    csp => "default-src 'self';
+            script-src  'self' https://*.kaiads.com;
+            style-src   'self' 'unsafe-inline';
+            frame-src   'self' https://*.kaiads.com;
+            img-src     'self' data:;"               =~ s/\s+/ /gr,
     $decvers ? (version => $decvers) : (),
 })