1
Fork 0
mirror of https://github.com/jech/galene.git synced 2024-12-22 15:25:48 +01:00

Don't attempt to special-case worker CSP.

It doesn't work.
This commit is contained in:
Juliusz Chroboczek 2024-12-13 13:58:26 +01:00
parent 801e10c824
commit 6e10da0116

View file

@ -88,17 +88,13 @@ func Serve(address string, dataDir string) error {
return nil return nil
} }
func cspHeader(w http.ResponseWriter, connect string, unsafeEval bool) { func cspHeader(w http.ResponseWriter, connect string) {
c := "connect-src ws: wss: 'self'; " c := "connect-src ws: wss: 'self'; "
if connect != "" { if connect != "" {
c = "connect-src " + connect + " ws: wss: 'self'; " c = "connect-src " + connect + " ws: wss: 'self'; "
} }
s := "script-src 'self'; "
if unsafeEval {
s = "script-src 'unsafe-eval' 'self'; "
}
w.Header().Add("Content-Security-Policy", w.Header().Add("Content-Security-Policy",
c+s+"img-src data: 'self'; media-src blob: 'self'; default-src 'self'") c+"img-src data: 'self'; media-src blob: 'self'; script-src 'unsafe-eval' 'self'; default-src 'self'")
// Make browser stop sending referrer information // Make browser stop sending referrer information
w.Header().Add("Referrer-Policy", "no-referrer") w.Header().Add("Referrer-Policy", "no-referrer")
@ -211,7 +207,7 @@ func (fh *fileHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
return return
} }
cspHeader(w, "", r.URL.Path == "/blur-background-worker.js") cspHeader(w, "")
p := r.URL.Path p := r.URL.Path
// this ensures any leading .. are removed by path.Clean below // this ensures any leading .. are removed by path.Clean below
if !strings.HasPrefix(p, "/") { if !strings.HasPrefix(p, "/") {
@ -377,7 +373,7 @@ func groupHandler(w http.ResponseWriter, r *http.Request) {
} }
status := g.Status(false, nil) status := g.Status(false, nil)
cspHeader(w, status.AuthServer, false) cspHeader(w, status.AuthServer)
serveFile(w, r, filepath.Join(StaticRoot, "galene.html")) serveFile(w, r, filepath.Join(StaticRoot, "galene.html"))
} }