summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--internal/middleware/extraheaders.go8
-rw-r--r--internal/middleware/middleware_test.go8
2 files changed, 10 insertions, 6 deletions
diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index cd207a9f1..be7591be1 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string {
// Construct endpoint URL.
s3EndpointURLStr := scheme + "://" + s3Endpoint
+ // When object storage is in use in non-proxied mode, GtS still serves some
+ // assets itself like the logo, so keep 'self' in there. That should also
+ // handle any redirects from the fileserver to object storage.
+
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
- policy += "; image-src " + s3EndpointURLStr
+ policy += "; img-src 'self' " + s3EndpointURLStr
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
- policy += "; media-src " + s3EndpointURLStr
+ policy += "; media-src 'self' " + s3EndpointURLStr
return policy
}
diff --git a/internal/middleware/middleware_test.go b/internal/middleware/middleware_test.go
index fecae5dd1..81c7c0be1 100644
--- a/internal/middleware/middleware_test.go
+++ b/internal/middleware/middleware_test.go
@@ -44,25 +44,25 @@ func TestBuildContentSecurityPolicy(t *testing.T) {
s3Endpoint: "some-bucket-provider.com",
s3Proxy: false,
s3Secure: true,
- expected: "default-src 'self'; image-src https://some-bucket-provider.com; media-src https://some-bucket-provider.com",
+ expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
},
{
s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: false,
s3Secure: true,
- expected: "default-src 'self'; image-src https://some-bucket-provider.com:6969; media-src https://some-bucket-provider.com:6969",
+ expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
},
{
s3Endpoint: "some-bucket-provider.com:6969",
s3Proxy: false,
s3Secure: false,
- expected: "default-src 'self'; image-src http://some-bucket-provider.com:6969; media-src http://some-bucket-provider.com:6969",
+ expected: "default-src 'self'; img-src 'self' http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
},
{
s3Endpoint: "s3.nl-ams.scw.cloud",
s3Proxy: false,
s3Secure: true,
- expected: "default-src 'self'; image-src https://s3.nl-ams.scw.cloud; media-src https://s3.nl-ams.scw.cloud",
+ expected: "default-src 'self'; img-src 'self' https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
},
{
s3Endpoint: "some-bucket-provider.com",
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-12 23:58:37 +0000