hardcode csp headers for now

Author: dottmp

src/hooks.server.ts

@@ -2,8 +2,6 @@ import type { Handle } from '@sveltejs/kit';
 import { sequence } from '@sveltejs/kit/hooks';
 import { RetryAfterRateLimiter } from 'sveltekit-rate-limiter/server';
 
-import svelteConfig from '../svelte.config.js';
-
 import { dev } from '$app/environment';
 
 export const limiter = new RetryAfterRateLimiter({
@@ -38,7 +36,18 @@ const handleHeaders: Handle = async ({ event, resolve }) => {
 		'Cross-Origin-Resource-Policy': 'cross-origin'
 	};
 
-	const csp = Object.entries(svelteConfig.kit?.csp?.directives ?? {})
+	const csp = Object.entries({
+		'default-src': ['self'],
+		'script-src': ['self'],
+		'style-src': ['self'],
+		'font-src': ['self'],
+		'img-src': ['self', 'data:', 'https:'],
+		'connect-src': ['self'],
+		'object-src': ['none'],
+		'base-uri': ['self'],
+		'form-action': ['self'],
+		'frame-ancestors': ['none']
+	})
 		.map(([directive, value]) => `${directive} ${value.join(' ')}`)
 		.join('; ');