Implement Content-Security-Policy

server/index_template.go

@@ -7,7 +7,7 @@ import (
 
 var (
 	index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href=/`)
-	index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script>window.__ENV__=`)
+	index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script id=env type=application/json>`)
 	index_2 = []byte(`</script><script src=/`)
 	index_3 = []byte(`></script></body></html>`)
 )

server/serve_files.go

@@ -51,6 +51,7 @@ var (
 	}
 
 	hstsHeader string
+	cspEnabled bool
 )
 
 func initFileServer() {
@@ -88,7 +89,7 @@ func initFileServer() {
 			})
 		}
 
-		if viper.GetBool("https.hsts.enabled") {
+		if viper.GetBool("https.hsts.enabled") && viper.GetBool("https.enabled") {
 			hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age")
 
 			if viper.GetBool("https.hsts.include_subdomains") {
@@ -98,6 +99,8 @@ func initFileServer() {
 				hstsHeader += "; preload"
 			}
 		}
+
+		cspEnabled = true
 	}
 }
 
@@ -130,6 +133,17 @@ func serveIndex(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if cspEnabled {
+		var connectSrc string
+		if r.TLS != nil {
+			connectSrc = "wss://" + r.Host
+		} else {
+			connectSrc = "ws://" + r.Host
+		}
+
+		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src "+connectSrc)
+	}
+
 	w.Header().Set("Content-Type", "text/html")
 	w.Header().Set("Cache-Control", "no-store")
 	w.Header().Set("X-Content-Type-Options", "nosniff")