summaryrefslogtreecommitdiff
path: root/internal/middleware/extraheaders.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/middleware/extraheaders.go')
-rw-r--r--internal/middleware/extraheaders.go19
1 files changed, 8 insertions, 11 deletions
diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index be7591be1..064e85cca 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -54,19 +54,16 @@ func BuildContentSecurityPolicy() string {
// Debug is enabled, allow
// serving things from localhost
// as well (regardless of port).
- policy += " localhost:*"
+ policy += " localhost:* ws://localhost:*"
}
- s3Endpoint := config.GetStorageS3Endpoint()
- if s3Endpoint == "" {
- // S3 not configured,
- // default policy is OK.
- return policy
- }
+ // Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
+ policy += "; object-src 'none'"
- if config.GetStorageS3Proxy() {
- // S3 is configured in proxy
- // mode, default policy is OK.
+ s3Endpoint := config.GetStorageS3Endpoint()
+ if s3Endpoint == "" || config.GetStorageS3Proxy() {
+ // S3 not configured or in proxy mode, just allow images from self and blob:
+ policy += "; img-src 'self' blob:"
return policy
}
@@ -88,7 +85,7 @@ func BuildContentSecurityPolicy() string {
// handle any redirects from the fileserver to object storage.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
- policy += "; img-src 'self' " + s3EndpointURLStr
+ policy += "; img-src 'self' blob: " + s3EndpointURLStr
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
policy += "; media-src 'self' " + s3EndpointURLStr
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-13 06:07:47 +0000