fix(webserver): allow csp to be changed via config (fixes #435)

lukewhrit · lukewhrit · commit 3a2311e91bb0 · 2024-08-19T16:46:50.000-04:00
diff --git a/go.mod b/go.mod
@@ -15,7 +15,10 @@ require (
 	golang.org/x/exp v0.0.0-20230807204917-050eac23e9de
 )
 
-require github.com/dlclark/regexp2 v1.11.0 // indirect
+require (
+	github.com/dlclark/regexp2 v1.11.0 // indirect
+	golang.org/x/net v0.28.0 // indirect
+)
 
 require (
 	github.com/alecthomas/chroma/v2 v2.14.0
@@ -26,7 +29,7 @@ require (
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/sys v0.23.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -60,12 +60,16 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/exp v0.0.0-20230807204917-050eac23e9de h1:l5Za6utMv/HsBWWqzt4S8X17j+kt1uVETUX5UFhn2rE=
 golang.org/x/exp v0.0.0-20230807204917-050eac23e9de/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
+golang.org/x/net v0.28.0 h1:a9JDOJc5GMUJ0+UDqmLT86WiEy7iWyIhz8gz8E4e5hE=
+golang.org/x/net v0.28.0/go.mod h1:yqtgsTWOOnlGLG9GFRrK3++bGOUEkNBoHZc8MEDWPNg=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
+golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -29,10 +29,11 @@ type Cfg struct {
 	ConnectionURI    string `env:"CONNECTION_URI" json:"-"`
 
 	// Web
-	Headless  bool   `env:"HEADLESS" envDefault:"false" json:"headless"` // Enable website
-	Analytics string `env:"ANALYTICS" envDefault:"" json:"analytics"`    // <script> tag for analytics (leave blank to disable)
-	Username  string `env:"USERNAME" envDefault:"" json:"username"`      // Basic Auth username. Required to enable Basic Auth
-	Password  string `env:"PASSWORD" envDefault:"" json:"password"`      // Basic Auth password. Required to enable Basic Auth
+	Headless              bool   `env:"HEADLESS" envDefault:"false" json:"headless"`                                                                                                                                       // Enable website
+	Analytics             string `env:"ANALYTICS" envDefault:"" json:"analytics"`                                                                                                                                          // <script> tag for analytics (leave blank to disable)
+	Username              string `env:"USERNAME" envDefault:"" json:"username"`                                                                                                                                            // Basic Auth username. Required to enable Basic Auth
+	Password              string `env:"PASSWORD" envDefault:"" json:"password"`                                                                                                                                            // Basic Auth password. Required to enable Basic Auth
+	ContentSecurityPolicy string `env:"CSP" envDefault:"default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" json:"csp"` // Content Security Policy. Must be changed if you are using analytics.
 
 	// Document
 	IDLength      int      `env:"ID_LENGTH" envDefault:"8" json:"id_length"`
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -124,7 +124,7 @@ func (s *Server) RegisterHeaders() {
 	s.Router.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff"))
 	s.Router.Use(middleware.SetHeader("Referrer-Policy", "no-referrer-when-downgrade"))
 	s.Router.Use(middleware.SetHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"))
-	s.Router.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"))
+	s.Router.Use(middleware.SetHeader("Content-Security-Policy", config.Config.ContentSecurityPolicy))
 }
 
 func (s *Server) MountStatic() {

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,7 @@ func (s *Server) RegisterHeaders() {`
`124`	`124`	`s.Router.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff"))`
`125`	`125`	`s.Router.Use(middleware.SetHeader("Referrer-Policy", "no-referrer-when-downgrade"))`
`126`	`126`	`s.Router.Use(middleware.SetHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"))`
`127`		`- s.Router.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"))`
	`127`	`+ s.Router.Use(middleware.SetHeader("Content-Security-Policy", config.Config.ContentSecurityPolicy))`
`128`	`128`	`}`
`129`	`129`
`130`	`130`	`func (s *Server) MountStatic() {`