Commit 2cd0f5e8 authored by Nicolas Pernoud's avatar Nicolas Pernoud
Browse files

fix: do not rewrite all the csp header if it exists

parent 071f4b78
Pipeline #4834 passed with stages
in 2 minutes and 35 seconds
......@@ -84,6 +84,7 @@ func CreateMockAPI() *http.ServeMux {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.Header().Set("X-XSS-Protection", "1; mode=block")
w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors http://www.example.com")
w.Write([]byte(`{
"foo": "bar",
"bar": "foo"
......
......@@ -4,6 +4,7 @@ import (
"fmt"
"net/http"
"strconv"
"strings"
)
// Cors enables CORS Request on server (for development purposes)
......@@ -37,7 +38,19 @@ func (s webSecurityWriter) WriteHeader(code int) {
if s.allowEvalInlineScript {
inline = "'unsafe-inline' 'unsafe-eval'"
}
s.w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src %[1]v 'self'; img-src %[1]v blob: 'self'; script-src 'self' %[1]v %[2]v; style-src 'self' 'unsafe-inline'; frame-src %[1]v; frame-ancestors %[1]v", s.source, inline))
// Get existing CSP Header
cspHeader := s.w.Header().Get("Content-Security-Policy")
if cspHeader != "" { // If it exists, alter it to inject the vestibule main hostname in authorized frame ancestors
if strings.Contains(cspHeader, "frame-ancestors") {
cspHeader = strings.Replace(cspHeader, "frame-ancestors", fmt.Sprintf("frame-ancestors %v", s.source), 1)
} else {
cspHeader = cspHeader + fmt.Sprintf("; frame-ancestors %v", s.source)
}
} else { // If not, forge a default CSP Header
cspHeader = fmt.Sprintf("default-src %[1]v 'self'; img-src %[1]v blob: 'self'; script-src 'self' %[1]v %[2]v; style-src 'self' 'unsafe-inline'; frame-src %[1]v; frame-ancestors %[1]v", s.source, inline)
}
// Set the resulting CSP Header
s.w.Header().Set("Content-Security-Policy", cspHeader)
//s.w.Header().Set("X-Frame-Options", "SAMEORIGIN") // Works fine with chrome but is not obsoleted by frame-src in firefox 72.0.2
s.w.Header().Set("X-XSS-Protection", "1; mode=block")
s.w.Header().Set("Referrer-Policy", "strict-origin")
......
......@@ -42,7 +42,7 @@
</div>
<div class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item"><p>v4.3.4</p></div>
<div class="navbar-item"><p>v4.3.5</p></div>
</div>
</div>
</nav>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment