summaryrefslogtreecommitdiff
path: root/internal
diff options
context:
space:
mode:
Diffstat (limited to 'internal')
-rw-r--r--internal/middleware/contentsecuritypolicy.go16
-rw-r--r--internal/middleware/contentsecuritypolicy_test.go12
2 files changed, 20 insertions, 8 deletions
diff --git a/internal/middleware/contentsecuritypolicy.go b/internal/middleware/contentsecuritypolicy.go
index fb35c3a08..eb5168376 100644
--- a/internal/middleware/contentsecuritypolicy.go
+++ b/internal/middleware/contentsecuritypolicy.go
@@ -37,6 +37,7 @@ func ContentSecurityPolicy(extraURIs ...string) gin.HandlerFunc {
func BuildContentSecurityPolicy(extraURIs ...string) string {
const (
defaultSrc = "default-src"
+ connectSrc = "connect-src"
objectSrc = "object-src"
imgSrc = "img-src"
mediaSrc = "media-src"
@@ -48,7 +49,7 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
)
// CSP values keyed by directive.
- values := make(map[string][]string, 4)
+ values := make(map[string][]string, 5)
/*
default-src
@@ -70,6 +71,16 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
}
/*
+ connect-src
+ https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
+ */
+
+ // Restrictive default policy, but
+ // include ListenBrainz API for fields.
+ const listenBrains = "https://api.listenbrainz.org/1/user/"
+ values[connectSrc] = append(values[defaultSrc], listenBrains) //nolint
+
+ /*
object-src
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
*/
@@ -118,9 +129,10 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
// Iterate through an ordered slice rather than
// iterating through the map, since we want these
// policyDirectives in a determinate order.
- policyDirectives := make([]string, 4)
+ policyDirectives := make([]string, 5)
for i, directive := range []string{
defaultSrc,
+ connectSrc,
objectSrc,
imgSrc,
mediaSrc,
diff --git a/internal/middleware/contentsecuritypolicy_test.go b/internal/middleware/contentsecuritypolicy_test.go
index a337763df..ef6dc2bf8 100644
--- a/internal/middleware/contentsecuritypolicy_test.go
+++ b/internal/middleware/contentsecuritypolicy_test.go
@@ -32,38 +32,38 @@ func TestBuildContentSecurityPolicy(t *testing.T) {
for _, test := range []cspTest{
{
extraURLs: nil,
- expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:; media-src 'self'",
+ expected: "default-src 'self'; connect-src 'self' https://api.listenbrainz.org/1/user/; object-src 'none'; img-src 'self' blob:; media-src 'self'",
},
{
extraURLs: []string{
"https://some-bucket-provider.com",
},
- expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
+ expected: "default-src 'self'; connect-src 'self' https://api.listenbrainz.org/1/user/; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
},
{
extraURLs: []string{
"https://some-bucket-provider.com:6969",
},
- expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
+ expected: "default-src 'self'; connect-src 'self' https://api.listenbrainz.org/1/user/; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
},
{
extraURLs: []string{
"http://some-bucket-provider.com:6969",
},
- expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
+ expected: "default-src 'self'; connect-src 'self' https://api.listenbrainz.org/1/user/; object-src 'none'; img-src 'self' blob: http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
},
{
extraURLs: []string{
"https://s3.nl-ams.scw.cloud",
},
- expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
+ expected: "default-src 'self'; connect-src 'self' https://api.listenbrainz.org/1/user/; object-src 'none'; img-src 'self' blob: https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
},
{
extraURLs: []string{
"https://s3.nl-ams.scw.cloud",
"https://s3.somewhere.else.example.org",
},
- expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://s3.nl-ams.scw.cloud https://s3.somewhere.else.example.org; media-src 'self' https://s3.nl-ams.scw.cloud https://s3.somewhere.else.example.org",
+ expected: "default-src 'self'; connect-src 'self' https://api.listenbrainz.org/1/user/; object-src 'none'; img-src 'self' blob: https://s3.nl-ams.scw.cloud https://s3.somewhere.else.example.org; media-src 'self' https://s3.nl-ams.scw.cloud https://s3.somewhere.else.example.org",
},
} {
csp := middleware.BuildContentSecurityPolicy(test.extraURLs...)
generated by cgit v1.2.3 (git 2.46.0) at 2025-12-02 04:14:56 +0000