From 5e368d308942b8727e3086065a515d5fc9808e50 Mon Sep 17 00:00:00 2001
From: Daenney <daenney@users.noreply.github.com>
Date: Sat, 12 Aug 2023 12:21:48 +0200
Subject: [bugfix] CSP policy fixes for S3/object storage (#2104)

* [bugfix] CSP policy fixes for S3 in non-proxied mode

* It should be img-src
* In both img-src and media-src we still need to include 'self'
---
 internal/middleware/extraheaders.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'internal/middleware/extraheaders.go')

diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index cd207a9f1..be7591be1 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string {
 	// Construct endpoint URL.
 	s3EndpointURLStr := scheme + "://" + s3Endpoint
 
+	// When object storage is in use in non-proxied mode, GtS still serves some
+	// assets itself like the logo, so keep 'self' in there. That should also
+	// handle any redirects from the fileserver to object storage.
+
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
-	policy += "; image-src " + s3EndpointURLStr
+	policy += "; img-src 'self' " + s3EndpointURLStr
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
-	policy += "; media-src " + s3EndpointURLStr
+	policy += "; media-src 'self' " + s3EndpointURLStr
 
 	return policy
 }
-- 
cgit v1.2.3