Add CSP headers for all modules, though some are stricter than others
This commit is contained in:
parent
352eb24c30
commit
dbe3bbe0d6
14
cmd/info.go
14
cmd/info.go
|
@ -21,6 +21,8 @@ func serveExtensions(formats types.Types, available bool, errorChannel chan<- er
|
||||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||||
startTime := time.Now()
|
startTime := time.Now()
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||||
|
|
||||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||||
|
|
||||||
var extensions string
|
var extensions string
|
||||||
|
@ -51,14 +53,16 @@ func serveIndex(args []string, index *fileIndex, errorChannel chan<- error) http
|
||||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||||
startTime := time.Now()
|
startTime := time.Now()
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||||
|
|
||||||
|
w.Header().Set("Content-Type", "application/json;charset=UTF-8")
|
||||||
|
|
||||||
indexDump := index.List()
|
indexDump := index.List()
|
||||||
|
|
||||||
sort.SliceStable(indexDump, func(p, q int) bool {
|
sort.SliceStable(indexDump, func(p, q int) bool {
|
||||||
return strings.ToLower(indexDump[p]) < strings.ToLower(indexDump[q])
|
return strings.ToLower(indexDump[p]) < strings.ToLower(indexDump[q])
|
||||||
})
|
})
|
||||||
|
|
||||||
w.Header().Set("Content-Type", "application/json;charset=UTF-8")
|
|
||||||
|
|
||||||
response, err := json.MarshalIndent(indexDump, "", " ")
|
response, err := json.MarshalIndent(indexDump, "", " ")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errorChannel <- err
|
errorChannel <- err
|
||||||
|
@ -90,10 +94,12 @@ func serveIndexRebuild(args []string, index *fileIndex, formats types.Types, enc
|
||||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||||
startTime := time.Now()
|
startTime := time.Now()
|
||||||
|
|
||||||
rebuildIndex(args, index, formats, encoder, errorChannel)
|
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||||
|
|
||||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||||
|
|
||||||
|
rebuildIndex(args, index, formats, encoder, errorChannel)
|
||||||
|
|
||||||
_, err := w.Write([]byte("Ok\n"))
|
_, err := w.Write([]byte("Ok\n"))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errorChannel <- err
|
errorChannel <- err
|
||||||
|
@ -115,6 +121,8 @@ func serveMediaTypes(formats types.Types, available bool, errorChannel chan<- er
|
||||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||||
startTime := time.Now()
|
startTime := time.Now()
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||||
|
|
||||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||||
|
|
||||||
var mediaTypes string
|
var mediaTypes string
|
||||||
|
|
|
@ -17,7 +17,7 @@ import (
|
||||||
|
|
||||||
const (
|
const (
|
||||||
AllowedCharacters string = `^[A-z0-9.\-_]+$`
|
AllowedCharacters string = `^[A-z0-9.\-_]+$`
|
||||||
ReleaseVersion string = "8.1.0"
|
ReleaseVersion string = "8.2.0"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
|
|
@ -55,6 +55,8 @@ func newPage(title, body, nonce string) string {
|
||||||
|
|
||||||
func serveStaticFile(paths []string, index *fileIndex, errorChannel chan<- error) httprouter.Handle {
|
func serveStaticFile(paths []string, index *fileIndex, errorChannel chan<- error) httprouter.Handle {
|
||||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||||
|
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||||
|
|
||||||
prefix := Prefix + sourcePrefix
|
prefix := Prefix + sourcePrefix
|
||||||
|
|
||||||
path := strings.TrimPrefix(r.URL.Path, prefix)
|
path := strings.TrimPrefix(r.URL.Path, prefix)
|
||||||
|
@ -157,6 +159,8 @@ func serveStaticFile(paths []string, index *fileIndex, errorChannel chan<- error
|
||||||
|
|
||||||
func serveRoot(paths []string, index *fileIndex, filename *regexp.Regexp, formats types.Types, encoder *zstd.Encoder, errorChannel chan<- error) httprouter.Handle {
|
func serveRoot(paths []string, index *fileIndex, filename *regexp.Regexp, formats types.Types, encoder *zstd.Encoder, errorChannel chan<- error) httprouter.Handle {
|
||||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||||
|
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||||
|
|
||||||
refererUri, err := stripQueryParams(refererToUri(r.Referer()))
|
refererUri, err := stripQueryParams(refererToUri(r.Referer()))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
errorChannel <- err
|
errorChannel <- err
|
||||||
|
@ -423,6 +427,8 @@ func serveVersion(errorChannel chan<- error) httprouter.Handle {
|
||||||
|
|
||||||
data := []byte(fmt.Sprintf("roulette v%s\n", ReleaseVersion))
|
data := []byte(fmt.Sprintf("roulette v%s\n", ReleaseVersion))
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||||
|
|
||||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||||
|
|
||||||
w.Header().Set("Content-Length", strconv.Itoa(len(data)))
|
w.Header().Set("Content-Length", strconv.Itoa(len(data)))
|
||||||
|
|
|
@ -15,7 +15,11 @@ import (
|
||||||
type Format struct{}
|
type Format struct{}
|
||||||
|
|
||||||
func (t Format) CSP(w http.ResponseWriter) string {
|
func (t Format) CSP(w http.ResponseWriter) string {
|
||||||
return ""
|
nonce := types.GetNonce(6)
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
|
||||||
|
|
||||||
|
return nonce
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t Format) CSS() string {
|
func (t Format) CSS() string {
|
||||||
|
|
|
@ -26,7 +26,11 @@ type Format struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t Format) CSP(w http.ResponseWriter) string {
|
func (t Format) CSP(w http.ResponseWriter) string {
|
||||||
return ""
|
nonce := types.GetNonce(6)
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';", nonce))
|
||||||
|
|
||||||
|
return nonce
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t Format) CSS() string {
|
func (t Format) CSS() string {
|
||||||
|
|
|
@ -15,7 +15,11 @@ import (
|
||||||
type Format struct{}
|
type Format struct{}
|
||||||
|
|
||||||
func (t Format) CSP(w http.ResponseWriter) string {
|
func (t Format) CSP(w http.ResponseWriter) string {
|
||||||
return ""
|
nonce := types.GetNonce(6)
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s'; script-src 'self' 'unsafe-inline'", nonce))
|
||||||
|
|
||||||
|
return nonce
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t Format) CSS() string {
|
func (t Format) CSS() string {
|
||||||
|
|
|
@ -18,7 +18,11 @@ import (
|
||||||
type Format struct{}
|
type Format struct{}
|
||||||
|
|
||||||
func (t Format) CSP(w http.ResponseWriter) string {
|
func (t Format) CSP(w http.ResponseWriter) string {
|
||||||
return ""
|
nonce := types.GetNonce(6)
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
|
||||||
|
|
||||||
|
return nonce
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t Format) CSS() string {
|
func (t Format) CSS() string {
|
||||||
|
|
|
@ -16,7 +16,11 @@ import (
|
||||||
type Format struct{}
|
type Format struct{}
|
||||||
|
|
||||||
func (t Format) CSP(w http.ResponseWriter) string {
|
func (t Format) CSP(w http.ResponseWriter) string {
|
||||||
return ""
|
nonce := types.GetNonce(6)
|
||||||
|
|
||||||
|
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
|
||||||
|
|
||||||
|
return nonce
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t Format) CSS() string {
|
func (t Format) CSS() string {
|
||||||
|
@ -35,8 +39,9 @@ func (t Format) Title(rootUrl, fileUri, filePath, fileName, prefix, mime string)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t Format) Body(rootUrl, fileUri, filePath, fileName, prefix, mime, nonce string) (string, error) {
|
func (t Format) Body(rootUrl, fileUri, filePath, fileName, prefix, mime, nonce string) (string, error) {
|
||||||
return fmt.Sprintf(`<a href="%s"><video controls autoplay loop preload="auto"><source src="%s" type="%s" alt="Roulette selected: %s">Your browser does not support the video tag.</video></a>`,
|
return fmt.Sprintf(`<a href="%s"><video nonce=%q controls autoplay loop preload="auto"><source src="%s" type="%s" alt="Roulette selected: %s">Your browser does not support the video tag.</video></a>`,
|
||||||
rootUrl,
|
rootUrl,
|
||||||
|
nonce,
|
||||||
fileUri,
|
fileUri,
|
||||||
mime,
|
mime,
|
||||||
fileName), nil
|
fileName), nil
|
||||||
|
|
Loading…
Reference in New Issue