From 912a104aed2764fd385ae9e0cdc12cb748db296d Mon Sep 17 00:00:00 2001
From: f0x52 <f0x@cthu.lu>
Date: Mon, 14 Aug 2023 12:30:09 +0200
Subject: [fix] Update CSP header for blob images (upload preview) and dev
 livereload (#2109)

* update CSP header for blob images (upload preview) and dev livereload websocket

* update csp for s3, update csp tests
---
 internal/middleware/extraheaders.go | 19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

(limited to 'internal/middleware/extraheaders.go')

diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go
index be7591be1..064e85cca 100644
--- a/internal/middleware/extraheaders.go
+++ b/internal/middleware/extraheaders.go
@@ -54,19 +54,16 @@ func BuildContentSecurityPolicy() string {
 		// Debug is enabled, allow
 		// serving things from localhost
 		// as well (regardless of port).
-		policy += " localhost:*"
+		policy += " localhost:* ws://localhost:*"
 	}
 
-	s3Endpoint := config.GetStorageS3Endpoint()
-	if s3Endpoint == "" {
-		// S3 not configured,
-		// default policy is OK.
-		return policy
-	}
+	// Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
+	policy += "; object-src 'none'"
 
-	if config.GetStorageS3Proxy() {
-		// S3 is configured in proxy
-		// mode, default policy is OK.
+	s3Endpoint := config.GetStorageS3Endpoint()
+	if s3Endpoint == "" || config.GetStorageS3Proxy() {
+		// S3 not configured or in proxy mode, just allow images from self and blob:
+		policy += "; img-src 'self' blob:"
 		return policy
 	}
 
@@ -88,7 +85,7 @@ func BuildContentSecurityPolicy() string {
 	// handle any redirects from the fileserver to object storage.
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
-	policy += "; img-src 'self' " + s3EndpointURLStr
+	policy += "; img-src 'self' blob: " + s3EndpointURLStr
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
 	policy += "; media-src 'self' " + s3EndpointURLStr
-- 
cgit v1.2.3