head.tmpl: add Content Security Policy meta attr

* implement calculating integrity for script, stylesheet assets * break out browser-sync loader script to its own file (instead of inline) * implement Content Security Policy that only allows BrowserSync scripts and hooks to load from localhost when DevelMode is enabled (i.e. not in production)
2023-05-15 14:12:39 +02:00 · 2023-05-15 14:12:39 +02:00 · 50c3c939b6
commit 50c3c939b6
parent 852cc60a9e
4 changed files with 23 additions and 24 deletions
--- a/assets/public/js/browsersync.js
+++ b/assets/public/js/browsersync.js
@ -0,0 +1,15 @@
+(function() {
+    try {
+        var script = document.createElement('script');
+        if ('async') {
+            script.async = true;
+        }
+        // script.src = 'http://HOST:3002/browser-sync/browser-sync-client.js?v=2.29.0'.replace("HOST", location.hostname);
+        script.src = 'http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.0';
+        if (document.body) {
+            document.body.appendChild(script);
+        }
+    } catch (e) {
+        console.error("Browsersync: could not append script tag", e);
+    }
+})()
--- a/templates/browsersync.tmpl
+++ b/templates/browsersync.tmpl
@ -1,18 +1 @@
-<!-- [> browserSync <] -->
-<!-- <script async id="__bs_script__" src="http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.1" defer></script> -->
-<script defer id="__bs_script__">//<![CDATA[
-	(function() {
-		try {
-			var script = document.createElement('script');
-			if ('async') {
-				script.async = true;
-			}
-			script.src = 'http://HOST:3002/browser-sync/browser-sync-client.js?v=2.29.0'.replace("HOST", location.hostname);
-			if (document.body) {
-				document.body.appendChild(script);
-			}
-		} catch (e) {
-			console.error("Browsersync: could not append script tag", e);
-		}
-	})()
-//]]></script>
+<script defer id="__bs_script__" src="/assets/js/browsersync.js" integrity="{{- sha384 "js/browsersync.js" -}}"></script>
--- a/templates/footer.tmpl
+++ b/templates/footer.tmpl
@ -15,8 +15,5 @@
 </footer>

 <!-- inject browsersync script if running in devel mode -->
-{{- if .DevelMode -}}
-{{ template "browsersync.tmpl" }}
-{{- end }}
 </body>
 </html>
--- a/templates/head.tmpl
+++ b/templates/head.tmpl
@ -18,10 +18,14 @@
 <meta name="referrer" content="no-referrer, strict-origin-when-cross-origin">

 <link rel="icon" href="/assets/img/logo-pcmt.svg" type="image/svg+xml">
-<link href="/assets/css/pcmt.css" rel="preload" as="style">
-<link href="/assets/css/pcmt.css" rel="stylesheet">
+<link href="/assets/css/pcmt.css" rel="preload" as="style" integrity="{{- sha384 "css/pcmt.css" -}}">
+<link href="/assets/css/pcmt.css" rel="stylesheet" integrity="{{- sha384 "css/pcmt.css" -}}">

 {{- if .DevelMode -}}
-<!-- <link href="http://localhost:3002/browser-sync/browser-sync-client.js?v=2.29.1" rel="preload" as="script"> -->
+<meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self' ws://localhost:3002 http://localhost:3002; script-src 'self' http://localhost:3002;"/>
+<!-- inject browsersync script if running in devel mode -->
+{{ template "browsersync.tmpl" }}
+{{ else }}
+<meta http-equiv="content-security-policy" content="upgrade-insecure-requests; default-src 'self'; connect-src 'self'; script-src 'self';"/>
 {{- end -}}
 </head>