head.tmpl: add Content Security Policy meta attr
All checks were successful
continuous-integration/drone/push Build is passing

* implement calculating integrity for script, stylesheet assets
* break out browser-sync loader script to its own file (instead of
  inline)
* implement Content Security Policy that only allows BrowserSync scripts
  and hooks to load from localhost when DevelMode is enabled (i.e. not
  in production)
This commit is contained in:
leo 2023-05-15 14:12:39 +02:00
parent 852cc60a9e
commit 50c3c939b6
Signed by: wanderer
SSH Key Fingerprint: SHA256:Dp8+iwKHSlrMEHzE3bJnPng70I7LEsa3IJXRH/U+idQ
4 changed files with 23 additions and 24 deletions

@ -0,0 +1,15 @@
(function() {
try {
var script = document.createElement('script');
if ('async') {
script.async = true;
}
// script.src = 'http://HOST:3002/browser-sync/browser-sync-client.js?v=2.29.0'.replace("HOST", location.hostname);
script.src = 'http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.0';
if (document.body) {
document.body.appendChild(script);
}
} catch (e) {
console.error("Browsersync: could not append script tag", e);
}
})()

@ -1,18 +1 @@
<!-- [> browserSync <] -->
<!-- <script async id="__bs_script__" src="http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.1" defer></script> -->
<script defer id="__bs_script__">//<![CDATA[
(function() {
try {
var script = document.createElement('script');
if ('async') {
script.async = true;
}
script.src = 'http://HOST:3002/browser-sync/browser-sync-client.js?v=2.29.0'.replace("HOST", location.hostname);
if (document.body) {
document.body.appendChild(script);
}
} catch (e) {
console.error("Browsersync: could not append script tag", e);
}
})()
//]]></script>
<script defer id="__bs_script__" src="/assets/js/browsersync.js" integrity="{{- sha384 "js/browsersync.js" -}}"></script>

@ -15,8 +15,5 @@
</footer>
<!-- inject browsersync script if running in devel mode -->
{{- if .DevelMode -}}
{{ template "browsersync.tmpl" }}
{{- end }}
</body>
</html>

@ -18,10 +18,14 @@
<meta name="referrer" content="no-referrer, strict-origin-when-cross-origin">
<link rel="icon" href="/assets/img/logo-pcmt.svg" type="image/svg+xml">
<link href="/assets/css/pcmt.css" rel="preload" as="style">
<link href="/assets/css/pcmt.css" rel="stylesheet">
<link href="/assets/css/pcmt.css" rel="preload" as="style" integrity="{{- sha384 "css/pcmt.css" -}}">
<link href="/assets/css/pcmt.css" rel="stylesheet" integrity="{{- sha384 "css/pcmt.css" -}}">
{{- if .DevelMode -}}
<!-- <link href="http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.1" rel="preload" as="script"> -->
<meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self' ws://localhost:3002 http://localhost:3002; script-src 'self' http://localhost:3002;"/>
<!-- inject browsersync script if running in devel mode -->
{{ template "browsersync.tmpl" }}
{{ else }}
<meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self'; script-src 'self';"/>
{{- end -}}
</head>