mirrors/owncast
1
0
Fork 0
mirror of https://github.com/owncast/owncast.git synced 2024-11-25 14:20:54 +03:00
Code Issues Projects Releases Packages Wiki Activity
owncast/router/middleware/headers.go

26 lines
860 B
Go
Raw Normal View History

Merge pull request from GHSA-2hfj-cxw7-g45p
2021-08-31 05:43:28 +03:00
package middleware
import (
Explicitly add unsafe-eval only when running automated browser tests
2021-09-18 20:06:47 +03:00
"fmt"
Merge pull request from GHSA-2hfj-cxw7-g45p
2021-08-31 05:43:28 +03:00
"net/http"
Explicitly add unsafe-eval only when running automated browser tests
2021-09-18 20:06:47 +03:00
"os"
Merge pull request from GHSA-2hfj-cxw7-g45p
2021-08-31 05:43:28 +03:00
"strings"
)
// SetHeaders will set our global headers for web resources.
func SetHeaders(w http.ResponseWriter) {
Explicitly add unsafe-eval only when running automated browser tests
2021-09-18 20:06:47 +03:00
// When running automated browser tests we must allow `unsafe-eval` in our CSP
// so we can explicitly add it only when needed.
inTest := os.Getenv("BROWSER_TEST") == "true"
unsafeEval := ""
if inTest {
unsafeEval = `'unsafe-eval'`
}
Merge pull request from GHSA-2hfj-cxw7-g45p
2021-08-31 05:43:28 +03:00
// Content security policy
csp := []string{
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com>
2022-04-22 00:55:26 +03:00
fmt.Sprintf("script-src 'self' %s 'sha256-B5bOgtE39ax4J6RqDE93TVYrJeLAdxDOJFtF3hoWYDw=' 'sha256-PzXGlTLvNFZ7et6GkP2nD3XuSaAKQVBSYiHzU2ZKm8o=' 'sha256-/wqazZOqIpFSIrNVseblbKCXrezG73X7CMqRSTf+8zw=' 'sha256-jCj2f+ICtd8fvdb0ngc+Hkr/ZnZOMvNkikno/XR6VZs='", unsafeEval),
Merge pull request from GHSA-2hfj-cxw7-g45p
2021-08-31 05:43:28 +03:00
"worker-src 'self' blob:", // No single quotes around blob:
}
w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
}
Reference in a new issue Copy permalink