From 6e10da0116be722b6f14d29abbbb09b4ce2459a6 Mon Sep 17 00:00:00 2001 From: Juliusz Chroboczek Date: Fri, 13 Dec 2024 13:58:26 +0100 Subject: [PATCH] Don't attempt to special-case worker CSP. It doesn't work. --- webserver/webserver.go | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/webserver/webserver.go b/webserver/webserver.go index 2c7edf6..e12e729 100644 --- a/webserver/webserver.go +++ b/webserver/webserver.go @@ -88,17 +88,13 @@ func Serve(address string, dataDir string) error { return nil } -func cspHeader(w http.ResponseWriter, connect string, unsafeEval bool) { +func cspHeader(w http.ResponseWriter, connect string) { c := "connect-src ws: wss: 'self'; " if connect != "" { c = "connect-src " + connect + " ws: wss: 'self'; " } - s := "script-src 'self'; " - if unsafeEval { - s = "script-src 'unsafe-eval' 'self'; " - } w.Header().Add("Content-Security-Policy", - c+s+"img-src data: 'self'; media-src blob: 'self'; default-src 'self'") + c+"img-src data: 'self'; media-src blob: 'self'; script-src 'unsafe-eval' 'self'; default-src 'self'") // Make browser stop sending referrer information w.Header().Add("Referrer-Policy", "no-referrer") @@ -211,7 +207,7 @@ func (fh *fileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { return } - cspHeader(w, "", r.URL.Path == "/blur-background-worker.js") + cspHeader(w, "") p := r.URL.Path // this ensures any leading .. are removed by path.Clean below if !strings.HasPrefix(p, "/") { @@ -377,7 +373,7 @@ func groupHandler(w http.ResponseWriter, r *http.Request) { } status := g.Status(false, nil) - cspHeader(w, status.AuthServer, false) + cspHeader(w, status.AuthServer) serveFile(w, r, filepath.Join(StaticRoot, "galene.html")) }