From 1d159e4f6466ebf34162df05e274a3090a0ae93c Mon Sep 17 00:00:00 2001 From: surtur Date: Fri, 8 Sep 2023 17:48:51 +0200 Subject: [PATCH] go,tmpl: unify handling of CSP --- app/server.go | 8 +++++++- app/settings/helper.go | 3 +++ app/settings/settings.go | 41 +++++++++++++++++++++++++++++++--------- handlers/page.go | 2 ++ templates/head.tmpl | 5 +---- 5 files changed, 45 insertions(+), 14 deletions(-) diff --git a/app/server.go b/app/server.go index 55af6f1..b8c158c 100644 --- a/app/server.go +++ b/app/server.go @@ -139,7 +139,13 @@ func (a *App) SetServerSettings() { e.Use(session.Middleware(store)) - e.Use(middleware.Secure()) + e.Use( + middleware.SecureWithConfig( + middleware.SecureConfig{ + ContentSecurityPolicy: a.setting.HTTPCSP(), + }, + ), + ) if a.setting.HTTPGzipEnabled() { e.Use(middleware.GzipWithConfig(middleware.GzipConfig{ diff --git a/app/settings/helper.go b/app/settings/helper.go index 8d7ecb8..540cc5a 100644 --- a/app/settings/helper.go +++ b/app/settings/helper.go @@ -50,6 +50,9 @@ func (s *Settings) sortOutFlags(conf *config.Config, hostFlag *string, portFlag if d := *develFlag; d != conf.DevelMode { log.Debugf(overrideMsg, "develMode", d) s.SetIsDevel(d) + + log.Debug("making sure that CSP is set appropriately for devel mode (flag override)") + s.SetHTTPCSP(conf.HTTP.ContentSecurityPolicy) } } } diff --git a/app/settings/settings.go b/app/settings/settings.go index 287ae7d..0d913f7 100644 --- a/app/settings/settings.go +++ b/app/settings/settings.go @@ -22,6 +22,7 @@ type Settings struct { httpGzipLevel int httpRateLimitEnabled bool httpRateLimit int + httpCSP string isLive bool isDevel bool initCreateAdmin bool @@ -49,6 +50,8 @@ const ( defaultPort = 3000 defaultSessionMaxAge = 86400 // seconds. defaultHTTPDomain = "localhost" + defaultCSP = "upgrade-insecure-requests; default-src 'self'; manifest-src 'self'; font-src 'self'; connect-src 'self'; script-src 'self'; style-src 'self'; object-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'" + defaultCSPDevel = "default-src 'self'; manifest-src 'self'; font-src 'self'; connect-src 'self' ws://localhost:3002 http://localhost:3002; script-src 'self' http://localhost:3002; style-src 'self'; object-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'" defaultServerWriteTimeout = 30 * time.Second defaultServerReadHeaderTimeout = 30 * time.Second defaultLoggerSkipAssets = true @@ -138,6 +141,15 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev s.sessionEncrIsHex = true } + if conf.Init.CreateAdmin { + s.SetInitCreateAdmin(true) + s.SetInitAdminPassword(conf.Init.AdminPassword) + } + + if conf.Registration.Allowed { + s.RegistrationAllowed = true + } + if conf.HTTP.Gzip > 0 { s.SetHTTPGzipEnabled(true) s.SetHTTPGzipLevel(conf.HTTP.Gzip) @@ -148,15 +160,7 @@ func (s *Settings) Consolidate(conf *config.Config, host *string, port *int, dev s.SetHTTPRateLimit(conf.HTTP.RateLimit) } - if conf.Init.CreateAdmin { - s.SetInitCreateAdmin(true) - s.SetInitAdminPassword(conf.Init.AdminPassword) - } - - if conf.Registration.Allowed { - s.RegistrationAllowed = true - } - + s.SetHTTPCSP(conf.HTTP.ContentSecurityPolicy) s.SetHTTPDomain(conf.HTTP.Domain) s.SetHTTPSecure(conf.HTTP.Secure) s.setAPIKeys() @@ -269,6 +273,11 @@ func (s *Settings) HTTPRateLimit() int { return s.httpRateLimit } +// HTTPCSP returns the httpCSP. +func (s *Settings) HTTPCSP() string { + return s.httpCSP +} + // AssetsPath returns the assetsPath. func (s *Settings) AssetsPath() string { return s.assetsPath @@ -412,6 +421,20 @@ func (s *Settings) SetHTTPRateLimit(rateLimit int) { s.httpRateLimit = rateLimit } +// SetHTTPCSP sets the content security policy. +func (s *Settings) SetHTTPCSP(csp string) { + switch csp { + case "": + if s.isDevel { + s.httpCSP = defaultCSPDevel + } else { + s.httpCSP = defaultCSP + } + default: + s.httpCSP = csp + } +} + // SetAssetsPath sets the assetsPath. func (s *Settings) SetAssetsPath(assetsPath string) { s.assetsPath = assetsPath diff --git a/handlers/page.go b/handlers/page.go index bffca83..8b278e9 100644 --- a/handlers/page.go +++ b/handlers/page.go @@ -12,6 +12,7 @@ type page struct { Title string Name string CSRF string + CSP string DevelMode bool Current string Error string @@ -28,6 +29,7 @@ func newPage() *page { p := &page{ AppName: appName, AppVer: appver, + CSP: setting.HTTPCSP(), DevelMode: appIsDevel, Data: data, } diff --git a/templates/head.tmpl b/templates/head.tmpl index 8f41059..e23f5a1 100644 --- a/templates/head.tmpl +++ b/templates/head.tmpl @@ -22,12 +22,9 @@ + {{- if .DevelMode -}} - - {{ template "browsersync.tmpl" }} -{{ else }} - {{- end -}}