Implement Content-Security-Policy

This commit is contained in:
Ken-Håvard Lieng 2016-02-03 19:42:07 +01:00
parent 3db100435c
commit 90b74ee022
5 changed files with 49 additions and 28 deletions

File diff suppressed because one or more lines are too long

View File

@ -6,11 +6,11 @@
<title>Dispatch</title> <title>Dispatch</title>
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700|Roboto+Mono:400,700" rel="stylesheet">
<link href="/bundle.css" rel="stylesheet"> <link href="/bundle.css" rel="stylesheet">
</head> </head>
<body> <body>
<div id="root"></div> <div id="root"></div>
<script id="env" type="application/json"></script>
<script src="/bundle.js"></script> <script src="/bundle.js"></script>
</body> </body>
</html> </html>

View File

@ -13,26 +13,33 @@ const socket = new Socket(host);
const store = configureStore(socket, browserHistory); const store = configureStore(socket, browserHistory);
if (window.__ENV__.servers) { const env = JSON.parse(document.getElementById('env').innerHTML);
// TODO: Handle this properly
window.__ENV__ = {
defaults: env.defaults
};
if (env.servers) {
store.dispatch({ store.dispatch({
type: 'SOCKET_SERVERS', type: 'SOCKET_SERVERS',
data: window.__ENV__.servers data: env.servers
}); });
} else { } else {
store.dispatch(routeActions.replace('/connect')); store.dispatch(routeActions.replace('/connect'));
} }
if (window.__ENV__.channels) { if (env.channels) {
store.dispatch({ store.dispatch({
type: 'SOCKET_CHANNELS', type: 'SOCKET_CHANNELS',
data: window.__ENV__.channels data: env.channels
}); });
} }
if (window.__ENV__.users) { if (env.users) {
store.dispatch({ store.dispatch({
type: 'SOCKET_USERS', type: 'SOCKET_USERS',
...window.__ENV__.users ...env.users
}); });
} }

View File

@ -7,7 +7,7 @@ import (
var ( var (
index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href=/`) index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href=/`)
index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script>window.__ENV__=`) index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script id=env type=application/json>`)
index_2 = []byte(`</script><script src=/`) index_2 = []byte(`</script><script src=/`)
index_3 = []byte(`></script></body></html>`) index_3 = []byte(`></script></body></html>`)
) )

View File

@ -51,6 +51,7 @@ var (
} }
hstsHeader string hstsHeader string
cspEnabled bool
) )
func initFileServer() { func initFileServer() {
@ -88,7 +89,7 @@ func initFileServer() {
}) })
} }
if viper.GetBool("https.hsts.enabled") { if viper.GetBool("https.hsts.enabled") && viper.GetBool("https.enabled") {
hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age") hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age")
if viper.GetBool("https.hsts.include_subdomains") { if viper.GetBool("https.hsts.include_subdomains") {
@ -98,6 +99,8 @@ func initFileServer() {
hstsHeader += "; preload" hstsHeader += "; preload"
} }
} }
cspEnabled = true
} }
} }
@ -130,6 +133,17 @@ func serveIndex(w http.ResponseWriter, r *http.Request) {
return return
} }
if cspEnabled {
var connectSrc string
if r.TLS != nil {
connectSrc = "wss://" + r.Host
} else {
connectSrc = "ws://" + r.Host
}
w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src "+connectSrc)
}
w.Header().Set("Content-Type", "text/html") w.Header().Set("Content-Type", "text/html")
w.Header().Set("Cache-Control", "no-store") w.Header().Set("Cache-Control", "no-store")
w.Header().Set("X-Content-Type-Options", "nosniff") w.Header().Set("X-Content-Type-Options", "nosniff")