diff options
author | r <r@freesoftwareextremist.com> | 2023-10-15 15:53:44 +0000 |
---|---|---|
committer | r <r@freesoftwareextremist.com> | 2023-10-15 15:53:44 +0000 |
commit | 67b13c71baea56eeb15532ca1b1377f6da8d18ac (patch) | |
tree | c10bc1f71e283b431076fd376acf170906fa0188 /service/transport.go | |
parent | ed521dd33d0d002c577a75e349136fed25b7fda5 (diff) | |
download | bloat-67b13c71baea56eeb15532ca1b1377f6da8d18ac.tar.gz bloat-67b13c71baea56eeb15532ca1b1377f6da8d18ac.zip |
Use CSP header to restrict resource loading
This helps mitigate XSS exploits.
Users will have to save the settings again to make the custom CSS
work.
Diffstat (limited to 'service/transport.go')
-rw-r--r-- | service/transport.go | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/service/transport.go b/service/transport.go index 1182d6c..d032cce 100644 --- a/service/transport.go +++ b/service/transport.go @@ -26,6 +26,16 @@ const ( CSRF ) +const csp = "default-src 'none';" + + " img-src *;" + + " media-src *;" + + " font-src *;" + + " child-src *;" + + " connect-src 'self';" + + " form-action 'self';" + + " script-src 'self';" + + " style-src 'self'" + func NewHandler(s *service, verbose bool, staticDir string) http.Handler { r := mux.NewRouter() @@ -58,14 +68,14 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler { }(time.Now()) } - var ct string + h := c.w.Header() switch rt { case HTML: - ct = "text/html; charset=utf-8" + h.Set("Content-Type", "text/html; charset=utf-8") + h.Set("Content-Security-Policy", csp) case JSON: - ct = "application/json" + h.Set("Content-Type", "application/json") } - c.w.Header().Add("Content-Type", ct) err = c.authenticate(at, s.instance) if err != nil { @@ -73,6 +83,13 @@ func NewHandler(s *service, verbose bool, staticDir string) http.Handler { return } + // Override the CSP header to allow custom CSS + if rt == HTML && len(c.s.Settings.CSS) > 0 && + len(c.s.Settings.CSSHash) > 0 { + v := fmt.Sprintf("%s 'sha256-%s'", csp, c.s.Settings.CSSHash) + h.Set("Content-Security-Policy", v) + } + err = f(c) if err != nil { writeError(c, err, rt, req.Method == http.MethodGet) |