synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-09 11:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow coder.com in CSP if telemetry is enabled (#13615)

Browse Source 
* fix: allow coder.com in CSP if telemetry is enabled

* Fix control couple lint
This commit is contained in:
Kyle Carberry
2024-06-20 15:05:22 -05:00
committed by GitHub
parent 0793a4b35b
commit 57b38e5bb8
3 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
coderd/coderd.go
View File

@ -1210,7 +1210,7 @@ func New(options *Options) *API {
// Add CSP headers to all static assets and pages. CSP headers only affect
// browsers, so these don't make sense on api routes.
cspMW := httpmw.CSPHeaders(func() []string {
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
if api.DeploymentValues.Dangerous.AllowAllCors {
// In this mode, allow all external requests
return []string{"*"}

9
coderd/httpmw/csp.go
View File

@ -43,7 +43,9 @@ const (
// CSPHeaders returns a middleware that sets the Content-Security-Policy header
// for coderd. It takes a function that allows adding supported external websocket
// hosts. This is primarily to support the terminal connecting to a workspace proxy.
func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler {
//
//nolint:revive
func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
@ -83,6 +85,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han
// "require-trusted-types-for" : []string{"'script'"},
}
if telemetry {
// If telemetry is enabled, we report to coder.com.
cspSrcs.Append(cspDirectiveConnectSrc, "https://coder.com")
}
// This extra connect-src addition is required to support old webkit
// based browsers (Safari).
// See issue: https://github.com/w3c/webappsec-csp/issues/7

2
coderd/httpmw/csp_test.go
View File

@ -19,7 +19,7 @@ func TestCSPConnect(t *testing.T) {
r := httptest.NewRequest(http.MethodGet, "/", nil)
rw := httptest.NewRecorder()
httpmw.CSPHeaders(func() []string {
httpmw.CSPHeaders(false, func() []string {
return expected
})(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
rw.WriteHeader(http.StatusOK)