Commit b8171bfd authored by Nicolas PERNOUD's avatar Nicolas PERNOUD
Browse files

fix: added unsafe-inline and unsafe-eval to apps CSP

parent 883ab68c
Pipeline #3620 passed with stages
in 2 minutes and 29 seconds
......@@ -37,6 +37,7 @@
"isProxy": false,
"host": "static.vestibule.127.0.0.1.nip.io",
"serve": "./testdata/static",
"secured": false
"secured": false,
"securityheaders": true
}
]
\ No newline at end of file
......@@ -82,7 +82,7 @@ func CreateRootMux(port int, appsFile string, davsFile string, staticDir string)
mainMux.Handle("/", middlewares.NoCache(http.FileServer(&common.FallBackWrapper{Assets: http.Dir(staticDir)})))
// Put it together into the main handler
mux := http.NewServeMux()
mux.Handle(hostname+"/", middlewares.WebSecurity(mainMux, "*."+hostname+":*"))
mux.Handle(hostname+"/", middlewares.WebSecurity(mainMux, "*."+hostname+":*", false))
mux.Handle("/", adH)
return RootMux{mux, policy, &m}
}
......@@ -108,7 +108,7 @@ func (h *appDavHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
}
for _, d := range h.ds.Davs {
if host == d.Host {
middlewares.Cors(middlewares.WebSecurity(h.ds, h.cspSrc), h.dsCORSAllowOrigin).ServeHTTP(w, r)
middlewares.Cors(middlewares.WebSecurity(h.ds, h.cspSrc, false), h.dsCORSAllowOrigin).ServeHTTP(w, r)
return
}
}
......
......@@ -170,7 +170,7 @@ func makeHandler(app *app, authz authzFunc) http.Handler {
handler = http.FileServer(http.Dir(d))
}
if app.SecurityHeaders {
handler = middlewares.WebSecurity(handler, fmt.Sprintf("%[1]v:* *.%[1]v:*", frameSource))
handler = middlewares.WebSecurity(handler, fmt.Sprintf("%[1]v:* *.%[1]v:*", frameSource), true)
}
if !app.Secured || handler == nil {
return handler
......
......@@ -18,10 +18,14 @@ func Cors(next http.Handler, allowedOrigin string) http.Handler {
}
// WebSecurity adds good practices security headers on http responses
func WebSecurity(next http.Handler, source string) http.Handler {
func WebSecurity(next http.Handler, source string, allowEvalInlineScript bool) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
w.Header().Set("Strict-Transport-Security", "max-age=63072000")
w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src %[1]v 'self'; img-src %[1]v blob: 'self'; script-src 'self' %[1]v; style-src 'self' 'unsafe-inline'; frame-src %[1]v; frame-ancestors %[1]v", source))
var inline string
if allowEvalInlineScript {
inline = "'unsafe-inline' 'unsafe-eval'"
}
w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src %[1]v 'self'; img-src %[1]v blob: 'self'; script-src 'self' %[1]v %[2]v; style-src 'self' 'unsafe-inline'; frame-src %[1]v; frame-ancestors %[1]v", source, inline))
//w.Header().Set("X-Frame-Options", "SAMEORIGIN") // Works fine with chrome but is not obsoleted by frame-src in firefox 72.0.2
w.Header().Set("X-XSS-Protection", "1; mode=block")
w.Header().Set("Referrer-Policy", "strict-origin")
......
......@@ -42,7 +42,7 @@
</div>
<div class="navbar-menu">
<div class="navbar-end">
<div class="navbar-item"><p>v4.1.0</p></div>
<div class="navbar-item"><p>v4.1.1</p></div>
</div>
</div>
</nav>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment