From 3beb2ed61bd85bb9e115f4735a2ec230bc72bbb7 Mon Sep 17 00:00:00 2001 From: Azareal Date: Mon, 4 Nov 2019 17:46:34 +1000 Subject: [PATCH] Expand the Content Security Policy to the Control Panel. --- routes/panel/analytics.go | 1 + routes/panel/common.go | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/routes/panel/analytics.go b/routes/panel/analytics.go index 0480331d..bd91426c 100644 --- a/routes/panel/analytics.go +++ b/routes/panel/analytics.go @@ -206,6 +206,7 @@ func PreAnalyticsDetail(w http.ResponseWriter, r *http.Request, user *c.User) (* bp.AddSheet("chartist/chartist.min.css") bp.AddScript("chartist/chartist.min.js") bp.AddScriptAsync("analytics.js") + bp.LooseCSP = true return bp, nil } diff --git a/routes/panel/common.go b/routes/panel/common.go index ced9450c..260d5825 100644 --- a/routes/panel/common.go +++ b/routes/panel/common.go @@ -9,7 +9,7 @@ import ( // A blank list to fill out that parameter in Page for routes which don't use it var tList []interface{} -var successJSONBytes = []byte(`{"success":"1"}`) +var successJSONBytes = []byte(`{"success":1}`) // We're trying to reduce the amount of boilerplate in here, so I added these two functions, they might wind up circulating outside this file in the future func successRedirect(dest string, w http.ResponseWriter, r *http.Request, js bool) c.RouteError { @@ -23,6 +23,11 @@ func successRedirect(dest string, w http.ResponseWriter, r *http.Request, js boo // TODO: Prerender needs to handle dyntmpl templates better... func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, header *c.Header, pi interface{}) c.RouteError { + // TODO: Expand this to non-HTTPS requests too + if !header.LooseCSP && c.Site.EnableSsl { + w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self';upgrade-insecure-requests") + } + header.AddScript("global.js") if c.RunPreRenderHook("pre_render_"+tmplName, w, r, &header.CurrentUser, pi) { return nil