[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109)v0.11.0-rc3

* update CSP header for blob images (upload preview) and dev livereload websocket

* update csp for s3, update csp tests

1 files changed, 8 insertions, 11 deletions

diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index be7591be1..064e85cca 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -54,19 +54,16 @@ func BuildContentSecurityPolicy() string {
 		// Debug is enabled, allow
 		// serving things from localhost
 		// as well (regardless of port).
-		policy += " localhost:*"
+		policy += " localhost:* ws://localhost:*"
 	}
 
-	s3Endpoint := config.GetStorageS3Endpoint()
-	if s3Endpoint == "" {
-		// S3 not configured,
-		// default policy is OK.
-		return policy
-	}
+	// Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
+	policy += "; object-src 'none'"
 
-	if config.GetStorageS3Proxy() {
-		// S3 is configured in proxy
-		// mode, default policy is OK.
+	s3Endpoint := config.GetStorageS3Endpoint()
+	if s3Endpoint == "" || config.GetStorageS3Proxy() {
+		// S3 not configured or in proxy mode, just allow images from self and blob:
+		policy += "; img-src 'self' blob:"
 		return policy
 	}
 
@@ -88,7 +85,7 @@ func BuildContentSecurityPolicy() string {
 	// handle any redirects from the fileserver to object storage.
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
-	policy += "; img-src 'self' " + s3EndpointURLStr
+	policy += "; img-src 'self' blob: " + s3EndpointURLStr
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
 	policy += "; media-src 'self' " + s3EndpointURLStr