Add CSP headers for all modules, though some are stricter than others
This commit is contained in:
parent
352eb24c30
commit
dbe3bbe0d6
14
cmd/info.go
14
cmd/info.go
|
@ -21,6 +21,8 @@ func serveExtensions(formats types.Types, available bool, errorChannel chan<- er
|
|||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||
startTime := time.Now()
|
||||
|
||||
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||
|
||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||
|
||||
var extensions string
|
||||
|
@ -51,14 +53,16 @@ func serveIndex(args []string, index *fileIndex, errorChannel chan<- error) http
|
|||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||
startTime := time.Now()
|
||||
|
||||
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||
|
||||
w.Header().Set("Content-Type", "application/json;charset=UTF-8")
|
||||
|
||||
indexDump := index.List()
|
||||
|
||||
sort.SliceStable(indexDump, func(p, q int) bool {
|
||||
return strings.ToLower(indexDump[p]) < strings.ToLower(indexDump[q])
|
||||
})
|
||||
|
||||
w.Header().Set("Content-Type", "application/json;charset=UTF-8")
|
||||
|
||||
response, err := json.MarshalIndent(indexDump, "", " ")
|
||||
if err != nil {
|
||||
errorChannel <- err
|
||||
|
@ -90,10 +94,12 @@ func serveIndexRebuild(args []string, index *fileIndex, formats types.Types, enc
|
|||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||
startTime := time.Now()
|
||||
|
||||
rebuildIndex(args, index, formats, encoder, errorChannel)
|
||||
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||
|
||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||
|
||||
rebuildIndex(args, index, formats, encoder, errorChannel)
|
||||
|
||||
_, err := w.Write([]byte("Ok\n"))
|
||||
if err != nil {
|
||||
errorChannel <- err
|
||||
|
@ -115,6 +121,8 @@ func serveMediaTypes(formats types.Types, available bool, errorChannel chan<- er
|
|||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||
startTime := time.Now()
|
||||
|
||||
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||
|
||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||
|
||||
var mediaTypes string
|
||||
|
|
|
@ -17,7 +17,7 @@ import (
|
|||
|
||||
const (
|
||||
AllowedCharacters string = `^[A-z0-9.\-_]+$`
|
||||
ReleaseVersion string = "8.1.0"
|
||||
ReleaseVersion string = "8.2.0"
|
||||
)
|
||||
|
||||
var (
|
||||
|
|
|
@ -55,6 +55,8 @@ func newPage(title, body, nonce string) string {
|
|||
|
||||
func serveStaticFile(paths []string, index *fileIndex, errorChannel chan<- error) httprouter.Handle {
|
||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||
|
||||
prefix := Prefix + sourcePrefix
|
||||
|
||||
path := strings.TrimPrefix(r.URL.Path, prefix)
|
||||
|
@ -157,6 +159,8 @@ func serveStaticFile(paths []string, index *fileIndex, errorChannel chan<- error
|
|||
|
||||
func serveRoot(paths []string, index *fileIndex, filename *regexp.Regexp, formats types.Types, encoder *zstd.Encoder, errorChannel chan<- error) httprouter.Handle {
|
||||
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
||||
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||
|
||||
refererUri, err := stripQueryParams(refererToUri(r.Referer()))
|
||||
if err != nil {
|
||||
errorChannel <- err
|
||||
|
@ -423,6 +427,8 @@ func serveVersion(errorChannel chan<- error) httprouter.Handle {
|
|||
|
||||
data := []byte(fmt.Sprintf("roulette v%s\n", ReleaseVersion))
|
||||
|
||||
w.Header().Add("Content-Security-Policy", "default-src 'self';")
|
||||
|
||||
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
|
||||
|
||||
w.Header().Set("Content-Length", strconv.Itoa(len(data)))
|
||||
|
|
|
@ -15,7 +15,11 @@ import (
|
|||
type Format struct{}
|
||||
|
||||
func (t Format) CSP(w http.ResponseWriter) string {
|
||||
return ""
|
||||
nonce := types.GetNonce(6)
|
||||
|
||||
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
|
||||
|
||||
return nonce
|
||||
}
|
||||
|
||||
func (t Format) CSS() string {
|
||||
|
|
|
@ -26,7 +26,11 @@ type Format struct {
|
|||
}
|
||||
|
||||
func (t Format) CSP(w http.ResponseWriter) string {
|
||||
return ""
|
||||
nonce := types.GetNonce(6)
|
||||
|
||||
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';", nonce))
|
||||
|
||||
return nonce
|
||||
}
|
||||
|
||||
func (t Format) CSS() string {
|
||||
|
|
|
@ -15,7 +15,11 @@ import (
|
|||
type Format struct{}
|
||||
|
||||
func (t Format) CSP(w http.ResponseWriter) string {
|
||||
return ""
|
||||
nonce := types.GetNonce(6)
|
||||
|
||||
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s'; script-src 'self' 'unsafe-inline'", nonce))
|
||||
|
||||
return nonce
|
||||
}
|
||||
|
||||
func (t Format) CSS() string {
|
||||
|
|
|
@ -18,7 +18,11 @@ import (
|
|||
type Format struct{}
|
||||
|
||||
func (t Format) CSP(w http.ResponseWriter) string {
|
||||
return ""
|
||||
nonce := types.GetNonce(6)
|
||||
|
||||
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
|
||||
|
||||
return nonce
|
||||
}
|
||||
|
||||
func (t Format) CSS() string {
|
||||
|
|
|
@ -16,7 +16,11 @@ import (
|
|||
type Format struct{}
|
||||
|
||||
func (t Format) CSP(w http.ResponseWriter) string {
|
||||
return ""
|
||||
nonce := types.GetNonce(6)
|
||||
|
||||
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
|
||||
|
||||
return nonce
|
||||
}
|
||||
|
||||
func (t Format) CSS() string {
|
||||
|
@ -35,8 +39,9 @@ func (t Format) Title(rootUrl, fileUri, filePath, fileName, prefix, mime string)
|
|||
}
|
||||
|
||||
func (t Format) Body(rootUrl, fileUri, filePath, fileName, prefix, mime, nonce string) (string, error) {
|
||||
return fmt.Sprintf(`<a href="%s"><video controls autoplay loop preload="auto"><source src="%s" type="%s" alt="Roulette selected: %s">Your browser does not support the video tag.</video></a>`,
|
||||
return fmt.Sprintf(`<a href="%s"><video nonce=%q controls autoplay loop preload="auto"><source src="%s" type="%s" alt="Roulette selected: %s">Your browser does not support the video tag.</video></a>`,
|
||||
rootUrl,
|
||||
nonce,
|
||||
fileUri,
|
||||
mime,
|
||||
fileName), nil
|
||||
|
|
Loading…
Reference in New Issue