From 3aedd937c3d4ef65aa24a7ca8f48616731625f44 Mon Sep 17 00:00:00 2001 From: Daenney Date: Fri, 11 Aug 2023 13:20:56 +0200 Subject: [feature] Set Content-Security-Policy header (#2095) This adds the CSP header with a policy of only loading from the same domain. We don't make use of external media, CSS, JS, fonts, so we don't ever need external data loaded in our context. When building a DEBUG build, the policy gets extended to include localhost:*, i.e localhost on any port. This keeps the live-reloading flow for JS development working. localhost and 127.0.0.1 are considered to be the same so mixing and matching those doesn't result in a CSP violation. --- internal/middleware/extraheaders.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'internal/middleware/extraheaders.go') diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go index 802051e34..f584633fe 100644 --- a/internal/middleware/extraheaders.go +++ b/internal/middleware/extraheaders.go @@ -17,10 +17,17 @@ package middleware -import "github.com/gin-gonic/gin" +import ( + "codeberg.org/gruf/go-debug" + "github.com/gin-gonic/gin" +) // ExtraHeaders returns a new gin middleware which adds various extra headers to the response. func ExtraHeaders() gin.HandlerFunc { + policy := "default-src 'self'" + if debug.DEBUG { + policy += " localhost:*" + } return func(c *gin.Context) { // Inform all callers which server implementation this is. c.Header("Server", "gotosocial") @@ -32,5 +39,7 @@ func ExtraHeaders() gin.HandlerFunc { // // See: https://github.com/patcg-individual-drafts/topics c.Header("Permissions-Policy", "browsing-topics=()") + // Inform the browser we only load CSS/JS/media from the same domain + c.Header("Content-Security-Policy", policy) } } -- cgit v1.2.3