fix: configure csp

Signed-off-by: Alexander Onnikov <[email protected]>

server/front/src/index.ts

@@ -113,6 +113,7 @@ async function getFileRange (
           'Accept-Ranges': 'bytes',
           'Content-Length': end - start + 1,
           'Content-Type': stat.contentType,
+          'Content-Security-Policy': "default-src 'none';",
           Etag: stat.etag,
           'Last-Modified': new Date(stat.modifiedOn).toISOString()
         })
@@ -202,6 +203,7 @@ async function getFile (
         const dataStream = await ctx.with('readable', {}, (ctx) => client.get(ctx, workspace, stat._id))
         res.writeHead(200, {
           'Content-Type': stat.contentType,
+          'Content-Security-Policy': "default-src 'none';",
           Etag: stat.etag,
           'Last-Modified': new Date(stat.modifiedOn).toISOString(),
           'Cache-Control': cacheControlValue,
@@ -414,6 +416,7 @@ export function start (
             res.writeHead(200, {
               'accept-ranges': 'bytes',
               'content-length': blobInfo.size,
+              'content-security-policy': "default-src 'none';",
               Etag: blobInfo.etag,
               'Last-Modified': new Date(blobInfo.modifiedOn).toISOString()
             })

workers/datalake/src/blob.ts

@@ -291,13 +291,15 @@ function r2MetadataHeaders (head: R2Object): Headers {
       'Accept-Ranges': 'bytes',
       'Content-Length': head.size.toString(),
       'Content-Type': head.httpMetadata.contentType ?? '',
+      'Content-Security-Policy': "default-src 'none';",
       'Cache-Control': head.httpMetadata.cacheControl ?? cacheControl,
       'Last-Modified': head.uploaded.toUTCString(),
       ETag: head.httpEtag
     })
     : new Headers({
       'Accept-Ranges': 'bytes',
       'Content-Length': head.size.toString(),
+      'Content-Security-Policy': "default-src 'none';",
       'Cache-Control': cacheControl,
       'Last-Modified': head.uploaded.toUTCString(),
       ETag: head.httpEtag