synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-15 22:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: allow coder.com in CSP if telemetry is enabled (#13615)

Browse Source 
* fix: allow coder.com in CSP if telemetry is enabled

* Fix control couple lint
This commit is contained in:
Kyle Carberry
2024-06-20 15:05:22 -05:00
committed by GitHub
parent 0793a4b35b
commit 57b38e5bb8
3 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
coderd/httpmw/csp.go
View File

@ -43,7 +43,9 @@ const (
// CSPHeaders returns a middleware that sets the Content-Security-Policy header
// for coderd. It takes a function that allows adding supported external websocket
// hosts. This is primarily to support the terminal connecting to a workspace proxy.
func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler {
//
//nolint:revive
func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
@ -83,6 +85,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han
// "require-trusted-types-for" : []string{"'script'"},
}
if telemetry {
// If telemetry is enabled, we report to coder.com.
cspSrcs.Append(cspDirectiveConnectSrc, "https://coder.com")
}
// This extra connect-src addition is required to support old webkit
// based browsers (Safari).
// See issue: https://github.com/w3c/webappsec-csp/issues/7