Add CSP for HTML5 responses

services/api-server/src/api_server/html5_responses.py

@@ -6,6 +6,15 @@ from fastapi.responses import Response, StreamingResponse
 from fastapi.staticfiles import StaticFiles
 
 HTML5_SECURITY_HEADERS = {"X-Content-Type-Options": "nosniff"}
+HTML5_CONTENT_SECURITY_POLICY = (
+    "default-src 'self'; "
+    "script-src 'self'; "
+    "style-src 'self'; "
+    "connect-src 'self'; "
+    "img-src 'self' data:; "
+    "base-uri 'self'; "
+    "form-action 'self'"
+)
 
 
 class Html5StaticFiles(StaticFiles):
@@ -29,7 +38,11 @@ def html5_response(fragment: str) -> Response:
     return Response(
         fragment,
         media_type="text/html; charset=utf-8",
-        headers={"Cache-Control": "no-cache, no-transform", **HTML5_SECURITY_HEADERS},
+        headers={
+            "Cache-Control": "no-cache, no-transform",
+            "Content-Security-Policy": HTML5_CONTENT_SECURITY_POLICY,
+            **HTML5_SECURITY_HEADERS,
+        },
     )