From 50c3c939b6928956a2a6bf2b871bed33c6d077f9 Mon Sep 17 00:00:00 2001
From: leo <wanderer@dotya.ml>
Date: Mon, 15 May 2023 14:12:39 +0200
Subject: [PATCH] head.tmpl: add Content Security Policy meta attr

* implement calculating integrity for script, stylesheet assets
* break out browser-sync loader script to its own file (instead of
  inline)
* implement Content Security Policy that only allows BrowserSync scripts
  and hooks to load from localhost when DevelMode is enabled (i.e. not
  in production)
---
 assets/public/js/browsersync.js | 15 +++++++++++++++
 templates/browsersync.tmpl      | 19 +------------------
 templates/footer.tmpl           |  3 ---
 templates/head.tmpl             | 10 +++++++---
 4 files changed, 23 insertions(+), 24 deletions(-)
 create mode 100644 assets/public/js/browsersync.js

diff --git a/assets/public/js/browsersync.js b/assets/public/js/browsersync.js
new file mode 100644
index 0000000..d3bfb9c
--- /dev/null
+++ b/assets/public/js/browsersync.js
@@ -0,0 +1,15 @@
+(function() {
+    try {
+        var script = document.createElement('script');
+        if ('async') {
+            script.async = true;
+        }
+        // script.src = 'http://HOST:3002/browser-sync/browser-sync-client.js?v=2.29.0'.replace("HOST", location.hostname);
+        script.src = 'http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.0';
+        if (document.body) {
+            document.body.appendChild(script);
+        }
+    } catch (e) {
+        console.error("Browsersync: could not append script tag", e);
+    }
+})()
diff --git a/templates/browsersync.tmpl b/templates/browsersync.tmpl
index 166b13b..0cd9643 100644
--- a/templates/browsersync.tmpl
+++ b/templates/browsersync.tmpl
@@ -1,18 +1 @@
-<!-- [> browserSync <] -->
-<!-- <script async id="__bs_script__" src="http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.1" defer></script> -->
-<script defer id="__bs_script__">//<![CDATA[
-	(function() {
-		try {
-			var script = document.createElement('script');
-			if ('async') {
-				script.async = true;
-			}
-			script.src = 'http://HOST:3002/browser-sync/browser-sync-client.js?v=2.29.0'.replace("HOST", location.hostname);
-			if (document.body) {
-				document.body.appendChild(script);
-			}
-		} catch (e) {
-			console.error("Browsersync: could not append script tag", e);
-		}
-	})()
-//]]></script>
+<script defer id="__bs_script__" src="/assets/js/browsersync.js" integrity="{{- sha384 "js/browsersync.js" -}}"></script>
diff --git a/templates/footer.tmpl b/templates/footer.tmpl
index dc6d4d0..dcfd3d0 100644
--- a/templates/footer.tmpl
+++ b/templates/footer.tmpl
@@ -15,8 +15,5 @@
 </footer>
 
 <!-- inject browsersync script if running in devel mode -->
-{{- if .DevelMode -}}
-{{ template "browsersync.tmpl" }}
-{{- end }}
 </body>
 </html>
diff --git a/templates/head.tmpl b/templates/head.tmpl
index 46d5a97..3a0be69 100644
--- a/templates/head.tmpl
+++ b/templates/head.tmpl
@@ -18,10 +18,14 @@
 <meta name="referrer" content="no-referrer, strict-origin-when-cross-origin">
 
 <link rel="icon" href="/assets/img/logo-pcmt.svg" type="image/svg+xml">
-<link href="/assets/css/pcmt.css" rel="preload" as="style">
-<link href="/assets/css/pcmt.css" rel="stylesheet">
+<link href="/assets/css/pcmt.css" rel="preload" as="style" integrity="{{- sha384 "css/pcmt.css" -}}">
+<link href="/assets/css/pcmt.css" rel="stylesheet" integrity="{{- sha384 "css/pcmt.css" -}}">
 
 {{- if .DevelMode -}}
-<!-- <link href="http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.1" rel="preload" as="script"> -->
+<meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self' ws://localhost:3002 http://localhost:3002; script-src 'self' http://localhost:3002;"/>
+<!-- inject browsersync script if running in devel mode -->
+{{ template "browsersync.tmpl" }}
+{{ else }}
+<meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self'; script-src 'self';"/>
 {{- end -}}
 </head>