[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109)

* update CSP header for blob images (upload preview) and dev livereload websocket

* update csp for s3, update csp tests
This commit is contained in:
f0x52 2023-08-14 12:30:09 +02:00 committed by GitHub
parent 8ea7f551a0
commit 912a104aed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 20 deletions

View file

@ -54,19 +54,16 @@ func BuildContentSecurityPolicy() string {
// Debug is enabled, allow // Debug is enabled, allow
// serving things from localhost // serving things from localhost
// as well (regardless of port). // as well (regardless of port).
policy += " localhost:*" policy += " localhost:* ws://localhost:*"
} }
// Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
policy += "; object-src 'none'"
s3Endpoint := config.GetStorageS3Endpoint() s3Endpoint := config.GetStorageS3Endpoint()
if s3Endpoint == "" { if s3Endpoint == "" || config.GetStorageS3Proxy() {
// S3 not configured, // S3 not configured or in proxy mode, just allow images from self and blob:
// default policy is OK. policy += "; img-src 'self' blob:"
return policy
}
if config.GetStorageS3Proxy() {
// S3 is configured in proxy
// mode, default policy is OK.
return policy return policy
} }
@ -88,7 +85,7 @@ func BuildContentSecurityPolicy() string {
// handle any redirects from the fileserver to object storage. // handle any redirects from the fileserver to object storage.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
policy += "; img-src 'self' " + s3EndpointURLStr policy += "; img-src 'self' blob: " + s3EndpointURLStr
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
policy += "; media-src 'self' " + s3EndpointURLStr policy += "; media-src 'self' " + s3EndpointURLStr

View file

@ -38,55 +38,55 @@ func TestBuildContentSecurityPolicy(t *testing.T) {
s3Endpoint: "", s3Endpoint: "",
s3Proxy: false, s3Proxy: false,
s3Secure: false, s3Secure: false,
expected: "default-src 'self'", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
}, },
{ {
s3Endpoint: "some-bucket-provider.com", s3Endpoint: "some-bucket-provider.com",
s3Proxy: false, s3Proxy: false,
s3Secure: true, s3Secure: true,
expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
}, },
{ {
s3Endpoint: "some-bucket-provider.com:6969", s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: false, s3Proxy: false,
s3Secure: true, s3Secure: true,
expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
}, },
{ {
s3Endpoint: "some-bucket-provider.com:6969", s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: false, s3Proxy: false,
s3Secure: false, s3Secure: false,
expected: "default-src 'self'; img-src 'self' http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
}, },
{ {
s3Endpoint: "s3.nl-ams.scw.cloud", s3Endpoint: "s3.nl-ams.scw.cloud",
s3Proxy: false, s3Proxy: false,
s3Secure: true, s3Secure: true,
expected: "default-src 'self'; img-src 'self' https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
}, },
{ {
s3Endpoint: "some-bucket-provider.com", s3Endpoint: "some-bucket-provider.com",
s3Proxy: true, s3Proxy: true,
s3Secure: true, s3Secure: true,
expected: "default-src 'self'", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
}, },
{ {
s3Endpoint: "some-bucket-provider.com:6969", s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: true, s3Proxy: true,
s3Secure: true, s3Secure: true,
expected: "default-src 'self'", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
}, },
{ {
s3Endpoint: "some-bucket-provider.com:6969", s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: true, s3Proxy: true,
s3Secure: true, s3Secure: true,
expected: "default-src 'self'", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
}, },
{ {
s3Endpoint: "s3.nl-ams.scw.cloud", s3Endpoint: "s3.nl-ams.scw.cloud",
s3Proxy: true, s3Proxy: true,
s3Secure: true, s3Secure: true,
expected: "default-src 'self'", expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
}, },
} { } {
config.SetStorageS3Endpoint(test.s3Endpoint) config.SetStorageS3Endpoint(test.s3Endpoint)