pub fn rama_html_csp() -> ContentSecurityPolicyAvailable on crate features
http and net and haproxy and cli only.Expand description
Convenience: build the strict-self CSP, widened only with the image
hosts every rama-shipped HTML page needs (the inline favicon SVG via
data: and the GitHub-hosted banner image). Frame ancestry is denied
upstream by XFrameOptions::Deny and the policy’s own
frame-ancestors 'none'.
The fingerprint service further extends this with connect-src 'self'
for the same-origin WebSocket on /api/ws; that addition is
scheme-aware ('self' covers ws:/wss: to the same origin per
CSP3) and is therefore not a separate ws:/wss: scheme
allow-list.