Implement Content-Security-Policy

This commit is contained in:
Ken-Håvard Lieng 2016-02-03 19:42:07 +01:00
parent 3db100435c
commit 90b74ee022
5 changed files with 49 additions and 28 deletions

File diff suppressed because one or more lines are too long

View File

@ -6,11 +6,11 @@
<title>Dispatch</title>
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700|Roboto+Mono:400,700" rel="stylesheet">
<link href="/bundle.css" rel="stylesheet">
</head>
<body>
<div id="root"></div>
<script id="env" type="application/json"></script>
<script src="/bundle.js"></script>
</body>
</html>

View File

@ -13,26 +13,33 @@ const socket = new Socket(host);
const store = configureStore(socket, browserHistory);
if (window.__ENV__.servers) {
const env = JSON.parse(document.getElementById('env').innerHTML);
// TODO: Handle this properly
window.__ENV__ = {
defaults: env.defaults
};
if (env.servers) {
store.dispatch({
type: 'SOCKET_SERVERS',
data: window.__ENV__.servers
data: env.servers
});
} else {
store.dispatch(routeActions.replace('/connect'));
}
if (window.__ENV__.channels) {
if (env.channels) {
store.dispatch({
type: 'SOCKET_CHANNELS',
data: window.__ENV__.channels
data: env.channels
});
}
if (window.__ENV__.users) {
if (env.users) {
store.dispatch({
type: 'SOCKET_USERS',
...window.__ENV__.users
...env.users
});
}

View File

@ -7,7 +7,7 @@ import (
var (
index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href=/`)
index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script>window.__ENV__=`)
index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script id=env type=application/json>`)
index_2 = []byte(`</script><script src=/`)
index_3 = []byte(`></script></body></html>`)
)

View File

@ -51,6 +51,7 @@ var (
}
hstsHeader string
cspEnabled bool
)
func initFileServer() {
@ -88,7 +89,7 @@ func initFileServer() {
})
}
if viper.GetBool("https.hsts.enabled") {
if viper.GetBool("https.hsts.enabled") && viper.GetBool("https.enabled") {
hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age")
if viper.GetBool("https.hsts.include_subdomains") {
@ -98,6 +99,8 @@ func initFileServer() {
hstsHeader += "; preload"
}
}
cspEnabled = true
}
}
@ -130,6 +133,17 @@ func serveIndex(w http.ResponseWriter, r *http.Request) {
return
}
if cspEnabled {
var connectSrc string
if r.TLS != nil {
connectSrc = "wss://" + r.Host
} else {
connectSrc = "ws://" + r.Host
}
w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src "+connectSrc)
}
w.Header().Set("Content-Type", "text/html")
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("X-Content-Type-Options", "nosniff")