Add CSP headers for all modules, though some are stricter than others

This commit is contained in:
Seednode 2024-01-30 13:22:42 -06:00
parent 352eb24c30
commit dbe3bbe0d6
8 changed files with 45 additions and 10 deletions

View File

@ -21,6 +21,8 @@ func serveExtensions(formats types.Types, available bool, errorChannel chan<- er
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
startTime := time.Now()
w.Header().Add("Content-Security-Policy", "default-src 'self';")
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
var extensions string
@ -51,14 +53,16 @@ func serveIndex(args []string, index *fileIndex, errorChannel chan<- error) http
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
startTime := time.Now()
w.Header().Add("Content-Security-Policy", "default-src 'self';")
w.Header().Set("Content-Type", "application/json;charset=UTF-8")
indexDump := index.List()
sort.SliceStable(indexDump, func(p, q int) bool {
return strings.ToLower(indexDump[p]) < strings.ToLower(indexDump[q])
})
w.Header().Set("Content-Type", "application/json;charset=UTF-8")
response, err := json.MarshalIndent(indexDump, "", " ")
if err != nil {
errorChannel <- err
@ -90,10 +94,12 @@ func serveIndexRebuild(args []string, index *fileIndex, formats types.Types, enc
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
startTime := time.Now()
rebuildIndex(args, index, formats, encoder, errorChannel)
w.Header().Add("Content-Security-Policy", "default-src 'self';")
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
rebuildIndex(args, index, formats, encoder, errorChannel)
_, err := w.Write([]byte("Ok\n"))
if err != nil {
errorChannel <- err
@ -115,6 +121,8 @@ func serveMediaTypes(formats types.Types, available bool, errorChannel chan<- er
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
startTime := time.Now()
w.Header().Add("Content-Security-Policy", "default-src 'self';")
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
var mediaTypes string

View File

@ -17,7 +17,7 @@ import (
const (
AllowedCharacters string = `^[A-z0-9.\-_]+$`
ReleaseVersion string = "8.1.0"
ReleaseVersion string = "8.2.0"
)
var (

View File

@ -55,6 +55,8 @@ func newPage(title, body, nonce string) string {
func serveStaticFile(paths []string, index *fileIndex, errorChannel chan<- error) httprouter.Handle {
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
w.Header().Add("Content-Security-Policy", "default-src 'self';")
prefix := Prefix + sourcePrefix
path := strings.TrimPrefix(r.URL.Path, prefix)
@ -157,6 +159,8 @@ func serveStaticFile(paths []string, index *fileIndex, errorChannel chan<- error
func serveRoot(paths []string, index *fileIndex, filename *regexp.Regexp, formats types.Types, encoder *zstd.Encoder, errorChannel chan<- error) httprouter.Handle {
return func(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
w.Header().Add("Content-Security-Policy", "default-src 'self';")
refererUri, err := stripQueryParams(refererToUri(r.Referer()))
if err != nil {
errorChannel <- err
@ -423,6 +427,8 @@ func serveVersion(errorChannel chan<- error) httprouter.Handle {
data := []byte(fmt.Sprintf("roulette v%s\n", ReleaseVersion))
w.Header().Add("Content-Security-Policy", "default-src 'self';")
w.Header().Set("Content-Type", "text/plain;charset=UTF-8")
w.Header().Set("Content-Length", strconv.Itoa(len(data)))

View File

@ -15,7 +15,11 @@ import (
type Format struct{}
func (t Format) CSP(w http.ResponseWriter) string {
return ""
nonce := types.GetNonce(6)
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
return nonce
}
func (t Format) CSS() string {

View File

@ -26,7 +26,11 @@ type Format struct {
}
func (t Format) CSP(w http.ResponseWriter) string {
return ""
nonce := types.GetNonce(6)
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';", nonce))
return nonce
}
func (t Format) CSS() string {

View File

@ -15,7 +15,11 @@ import (
type Format struct{}
func (t Format) CSP(w http.ResponseWriter) string {
return ""
nonce := types.GetNonce(6)
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s'; script-src 'self' 'unsafe-inline'", nonce))
return nonce
}
func (t Format) CSS() string {

View File

@ -18,7 +18,11 @@ import (
type Format struct{}
func (t Format) CSP(w http.ResponseWriter) string {
return ""
nonce := types.GetNonce(6)
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
return nonce
}
func (t Format) CSS() string {

View File

@ -16,7 +16,11 @@ import (
type Format struct{}
func (t Format) CSP(w http.ResponseWriter) string {
return ""
nonce := types.GetNonce(6)
w.Header().Add("Content-Security-Policy", fmt.Sprintf("default-src 'self' 'nonce-%s';", nonce))
return nonce
}
func (t Format) CSS() string {
@ -35,8 +39,9 @@ func (t Format) Title(rootUrl, fileUri, filePath, fileName, prefix, mime string)
}
func (t Format) Body(rootUrl, fileUri, filePath, fileName, prefix, mime, nonce string) (string, error) {
return fmt.Sprintf(`<a href="%s"><video controls autoplay loop preload="auto"><source src="%s" type="%s" alt="Roulette selected: %s">Your browser does not support the video tag.</video></a>`,
return fmt.Sprintf(`<a href="%s"><video nonce=%q controls autoplay loop preload="auto"><source src="%s" type="%s" alt="Roulette selected: %s">Your browser does not support the video tag.</video></a>`,
rootUrl,
nonce,
fileUri,
mime,
fileName), nil