Implement Content-Security-Policy
This commit is contained in:
Ken-Håvard Lieng
parent
3db100435c
commit
90b74ee022
File diff suppressed because one or more lines are too long
@ -6,11 +6,11 @@
|
||||
|
||||
<title>Dispatch</title>
|
||||
|
||||
<link href="https://fonts.googleapis.com/css?family=Montserrat:400,700|Roboto+Mono:400,700" rel="stylesheet">
|
||||
<link href="/bundle.css" rel="stylesheet">
|
||||
</head>
|
||||
<body>
|
||||
<div id="root"></div>
|
||||
<script id="env" type="application/json"></script>
|
||||
<script src="/bundle.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
@ -13,26 +13,33 @@ const socket = new Socket(host);
|
||||
|
||||
const store = configureStore(socket, browserHistory);
|
||||
|
||||
if (window.__ENV__.servers) {
|
||||
const env = JSON.parse(document.getElementById('env').innerHTML);
|
||||
|
||||
// TODO: Handle this properly
|
||||
window.__ENV__ = {
|
||||
defaults: env.defaults
|
||||
};
|
||||
|
||||
if (env.servers) {
|
||||
store.dispatch({
|
||||
type: 'SOCKET_SERVERS',
|
||||
data: window.__ENV__.servers
|
||||
data: env.servers
|
||||
});
|
||||
} else {
|
||||
store.dispatch(routeActions.replace('/connect'));
|
||||
}
|
||||
|
||||
if (window.__ENV__.channels) {
|
||||
if (env.channels) {
|
||||
store.dispatch({
|
||||
type: 'SOCKET_CHANNELS',
|
||||
data: window.__ENV__.channels
|
||||
data: env.channels
|
||||
});
|
||||
}
|
||||
|
||||
if (window.__ENV__.users) {
|
||||
if (env.users) {
|
||||
store.dispatch({
|
||||
type: 'SOCKET_USERS',
|
||||
...window.__ENV__.users
|
||||
...env.users
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ import (
|
||||
|
||||
var (
|
||||
index_0 = []byte(`<!DOCTYPE html><html lang=en><head><meta charset=UTF-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Dispatch</title><link href=/`)
|
||||
index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script>window.__ENV__=`)
|
||||
index_1 = []byte(` rel=stylesheet></head><body><div id=root></div><script id=env type=application/json>`)
|
||||
index_2 = []byte(`</script><script src=/`)
|
||||
index_3 = []byte(`></script></body></html>`)
|
||||
)
|
||||
|
||||
@ -51,6 +51,7 @@ var (
|
||||
}
|
||||
|
||||
hstsHeader string
|
||||
cspEnabled bool
|
||||
)
|
||||
|
||||
func initFileServer() {
|
||||
@ -88,7 +89,7 @@ func initFileServer() {
|
||||
})
|
||||
}
|
||||
|
||||
if viper.GetBool("https.hsts.enabled") {
|
||||
if viper.GetBool("https.hsts.enabled") && viper.GetBool("https.enabled") {
|
||||
hstsHeader = "max-age=" + viper.GetString("https.hsts.max_age")
|
||||
|
||||
if viper.GetBool("https.hsts.include_subdomains") {
|
||||
@ -98,6 +99,8 @@ func initFileServer() {
|
||||
hstsHeader += "; preload"
|
||||
}
|
||||
}
|
||||
|
||||
cspEnabled = true
|
||||
}
|
||||
}
|
||||
|
||||
@ -130,6 +133,17 @@ func serveIndex(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if cspEnabled {
|
||||
var connectSrc string
|
||||
if r.TLS != nil {
|
||||
connectSrc = "wss://" + r.Host
|
||||
} else {
|
||||
connectSrc = "ws://" + r.Host
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src "+connectSrc)
|
||||
}
|
||||
|
||||
w.Header().Set("Content-Type", "text/html")
|
||||
w.Header().Set("Cache-Control", "no-store")
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
|
||||
Loading…
Reference in New Issue
Block a user