From 912a104aed2764fd385ae9e0cdc12cb748db296d Mon Sep 17 00:00:00 2001
From: f0x52 <f0x@cthu.lu>
Date: Mon, 14 Aug 2023 12:30:09 +0200
Subject: [fix] Update CSP header for blob images (upload preview) and dev
 livereload (#2109)

* update CSP header for blob images (upload preview) and dev livereload websocket

* update csp for s3, update csp tests
---
 internal/middleware/middleware_test.go | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'internal/middleware/middleware_test.go')

diff --git a/internal/middleware/middleware_test.go b/internal/middleware/middleware_test.go
index 81c7c0be1..29376304e 100644
--- a/internal/middleware/middleware_test.go
+++ b/internal/middleware/middleware_test.go
@@ -38,55 +38,55 @@ func TestBuildContentSecurityPolicy(t *testing.T) {
 			s3Endpoint: "",
 			s3Proxy:    false,
 			s3Secure:   false,
-			expected:   "default-src 'self'",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob:",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com",
 			s3Proxy:    false,
 			s3Secure:   true,
-			expected:   "default-src 'self'; img-src 'self' https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com:6969",
 			s3Proxy:    false,
 			s3Secure:   true,
-			expected:   "default-src 'self'; img-src 'self' https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com:6969",
 			s3Proxy:    false,
 			s3Secure:   false,
-			expected:   "default-src 'self'; img-src 'self' http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob: http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
 		},
 		{
 			s3Endpoint: "s3.nl-ams.scw.cloud",
 			s3Proxy:    false,
 			s3Secure:   true,
-			expected:   "default-src 'self'; img-src 'self' https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob: https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com",
 			s3Proxy:    true,
 			s3Secure:   true,
-			expected:   "default-src 'self'",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob:",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com:6969",
 			s3Proxy:    true,
 			s3Secure:   true,
-			expected:   "default-src 'self'",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob:",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com:6969",
 			s3Proxy:    true,
 			s3Secure:   true,
-			expected:   "default-src 'self'",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob:",
 		},
 		{
 			s3Endpoint: "s3.nl-ams.scw.cloud",
 			s3Proxy:    true,
 			s3Secure:   true,
-			expected:   "default-src 'self'",
+			expected:   "default-src 'self'; object-src 'none'; img-src 'self' blob:",
 		},
 	} {
 		config.SetStorageS3Endpoint(test.s3Endpoint)
-- 
cgit v1.2.3