Don't attempt to special-case worker CSP.

It doesn't work.
2024-12-21 23:05:48 +01:00 · 2024-12-13 13:58:26 +01:00 · 2024-12-13 13:58:26 +01:00 · 6e10da0116
commit 6e10da0116
parent 801e10c824
1 changed files with 4 additions and 8 deletions
--- a/webserver/webserver.go
+++ b/webserver/webserver.go
@ -88,17 +88,13 @@ func Serve(address string, dataDir string) error {
 	return nil
 }

-func cspHeader(w http.ResponseWriter, connect string, unsafeEval bool) {
+func cspHeader(w http.ResponseWriter, connect string) {
 	c := "connect-src ws: wss: 'self'; "
 	if connect != "" {
 		c = "connect-src " + connect + " ws: wss: 'self'; "
 	}
-	s := "script-src 'self'; "
-	if unsafeEval {
-		s = "script-src 'unsafe-eval' 'self'; "
-	}
 	w.Header().Add("Content-Security-Policy",
-		c+s+"img-src data: 'self'; media-src blob: 'self'; default-src 'self'")
+		c+"img-src data: 'self'; media-src blob: 'self'; script-src 'unsafe-eval' 'self'; default-src 'self'")

 	// Make browser stop sending referrer information
 	w.Header().Add("Referrer-Policy", "no-referrer")
@ -211,7 +207,7 @@ func (fh *fileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	cspHeader(w, "", r.URL.Path == "/blur-background-worker.js")
+	cspHeader(w, "")
 	p := r.URL.Path
 	// this ensures any leading .. are removed by path.Clean below
 	if !strings.HasPrefix(p, "/") {
@ -377,7 +373,7 @@ func groupHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	status := g.Status(false, nil)
-	cspHeader(w, status.AuthServer, false)
+	cspHeader(w, status.AuthServer)
 	serveFile(w, r, filepath.Join(StaticRoot, "galene.html"))
 }