From 5e368d308942b8727e3086065a515d5fc9808e50 Mon Sep 17 00:00:00 2001 From: Daenney Date: Sat, 12 Aug 2023 12:21:48 +0200 Subject: [PATCH] [bugfix] CSP policy fixes for S3/object storage (#2104) * [bugfix] CSP policy fixes for S3 in non-proxied mode * It should be img-src * In both img-src and media-src we still need to include 'self' --- internal/middleware/extraheaders.go | 8 ++++++-- internal/middleware/middleware_test.go | 8 ++++---- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go index cd207a9f1..be7591be1 100644 --- a/internal/middleware/extraheaders.go +++ b/internal/middleware/extraheaders.go @@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string { // Construct endpoint URL. s3EndpointURLStr := scheme + "://" + s3Endpoint + // When object storage is in use in non-proxied mode, GtS still serves some + // assets itself like the logo, so keep 'self' in there. That should also + // handle any redirects from the fileserver to object storage. + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src - policy += "; image-src " + s3EndpointURLStr + policy += "; img-src 'self' " + s3EndpointURLStr // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src - policy += "; media-src " + s3EndpointURLStr + policy += "; media-src 'self' " + s3EndpointURLStr return policy } diff --git a/internal/middleware/middleware_test.go b/internal/middleware/middleware_test.go index fecae5dd1..81c7c0be1 100644 --- a/internal/middleware/middleware_test.go +++ b/internal/middleware/middleware_test.go @@ -44,25 +44,25 @@ func TestBuildContentSecurityPolicy(t *testing.T) { s3Endpoint: "some-bucket-provider.com", s3Proxy: false, s3Secure: true, - expected: "default-src 'self'; image-src https://some-bucket-provider.com; media-src https://some-bucket-provider.com", + expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com", }, { s3Endpoint: "some-bucket-provider.com:6969", s3Proxy: false, s3Secure: true, - expected: "default-src 'self'; image-src https://some-bucket-provider.com:6969; media-src https://some-bucket-provider.com:6969", + expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969", }, { s3Endpoint: "some-bucket-provider.com:6969", s3Proxy: false, s3Secure: false, - expected: "default-src 'self'; image-src http://some-bucket-provider.com:6969; media-src http://some-bucket-provider.com:6969", + expected: "default-src 'self'; img-src 'self' http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969", }, { s3Endpoint: "s3.nl-ams.scw.cloud", s3Proxy: false, s3Secure: true, - expected: "default-src 'self'; image-src https://s3.nl-ams.scw.cloud; media-src https://s3.nl-ams.scw.cloud", + expected: "default-src 'self'; img-src 'self' https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud", }, { s3Endpoint: "some-bucket-provider.com",