privacy pass: degoogle, CSP, referrer

- Replace Google Fonts with system font stacks across all themes - Add Referrer-Policy, X-Content-Type-Options, X-Frame-Options, CSP headers - Add rel="noreferrer noopener" on all outbound links - Add no-referrer and dns-prefetch-control meta tags to all themes - Clean tracking params on outbound links from trusted/remote sources - Remove Google domains from CSP whitelists
2026-04-08 10:11:57 -07:00 · 2026-04-08 10:11:57 -07:00 · a9f426132e
commit a9f426132e
parent 9738d28b60
6 changed files with 285 additions and 275 deletions
--- a/gateway.py
+++ b/gateway.py
@ -123,6 +123,14 @@ class GatewayHandler(BaseHTTPRequestHandler):

            self.send_response(resp["status"])
            self.send_header("Content-Type", resp.get("content_type", "text/html; charset=utf-8"))
+            self.send_header("Referrer-Policy", "no-referrer")
+            self.send_header("X-Content-Type-Options", "nosniff")
+            self.send_header("X-Frame-Options", "DENY")
+            self.send_header("Content-Security-Policy",
+                             "default-src 'self'; "
+                             "style-src 'self' 'unsafe-inline'; "
+                             "script-src 'self' 'unsafe-inline'; "
+                             "img-src 'self' data:")
            for k, v in resp.get("headers", {}).items():
                self.send_header(k, v)
            self.end_headers()