Implement Content-Security-Policy

2016-02-03 19:42:07 +01:00 · 2016-02-03 19:42:07 +01:00 · 90b74ee022
commit 90b74ee022
parent 3db100435c
5 changed files with 49 additions and 28 deletions
--- a/assets/bindata.go
+++ b/assets/bindata.go
--- a/client/src/index.html
+++ b/client/src/index.html
@ -6,11 +6,11 @@
  <title>Dispatch</title>
  <link href="https://fonts.googleapis.com/css?family=Montserrat:400,700|Roboto+Mono:400,700" rel="stylesheet">
  <link href="/bundle.css" rel="stylesheet">
 </head>
 <body>
  <div id="root"></div>
  <script id="env" type="application/json"></script>
  <script src="/bundle.js"></script>
 </body>
 </html>
--- a/client/src/js/index.js
+++ b/client/src/js/index.js
@ -13,26 +13,33 @@ const socket = new Socket(host);
 const store = configureStore(socket, browserHistory);
-if (window.__ENV__.servers) {
+const env = JSON.parse(document.getElementById('env').innerHTML);
 // TODO: Handle this properly
 window.__ENV__ = {
  defaults: env.defaults
 };
 if (env.servers) {
  store.dispatch({
    type: 'SOCKET_SERVERS',
-    data: window.__ENV__.servers
+    data: env.servers
  });
 } else {
  store.dispatch(routeActions.replace('/connect'));
 }
-if (window.__ENV__.channels) {
+if (env.channels) {
  store.dispatch({
    type: 'SOCKET_CHANNELS',
-    data: window.__ENV__.channels
+    data: env.channels
  });
 }
-if (window.__ENV__.users) {
+if (env.users) {
  store.dispatch({
    type: 'SOCKET_USERS',
-    ...window.__ENV__.users
+    ...env.users
  });
 }
--- a/server/index_template.go
+++ b/server/index_template.go
@ -7,7 +7,7 @@ import (
 var (
 	index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href=/`)
-	index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script>window.__ENV__=`)
+	index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script id=env type=application/json>`)
 	index_2 = []byte(`</script><script src=/`)
 	index_3 = []byte(`></script></body></html>`)
 )
--- a/server/serve_files.go
+++ b/server/serve_files.go
@ -51,6 +51,7 @@ var (
 	}
 	hstsHeader string
 	cspEnabled bool
 )
 func initFileServer() {
@ -88,7 +89,7 @@ func initFileServer() {
 			})
 		}
-		if viper.GetBool("https.hsts.enabled") {
+		if viper.GetBool("https.hsts.enabled") && viper.GetBool("https.enabled") {
 			hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age")
 			if viper.GetBool("https.hsts.include_subdomains") {
@ -98,6 +99,8 @@ func initFileServer() {
 				hstsHeader += "; preload"
 			}
 		}
 		cspEnabled = true
 	}
 }
@ -130,6 +133,17 @@ func serveIndex(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if cspEnabled {
 		var connectSrc string
 		if r.TLS != nil {
 			connectSrc = "wss://" + r.Host
 		} else {
 			connectSrc = "ws://" + r.Host
 		}
 		w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src "+connectSrc)
 	}
 	w.Header().Set("Content-Type", "text/html")
 	w.Header().Set("Cache-Control", "no-store")
 	w.Header().Set("X-Content-Type-Options", "nosniff")