feat: add csp headers for embedded apps (#18374)

I modified the proxy host cache we already had and were using for websocket csp headers to also include the wildcard app host, then used those for frame-src policies. I did not add frame-ancestors, since if I understand correctly, those would go on the app, and this middleware does not come into play there. Maybe we will want to add it on workspace apps like we do with cors, if we find apps are setting it to `none` or something. Closes https://github.com/coder/internal/issues/684
2025-07-12 00:14:10 +00:00 · 2025-06-17 09:00:32 -08:00
parent aee96c9eac
commit 82c14e00ce
8 changed files with 180 additions and 57 deletions
--- a/enterprise/coderd/workspaceproxy.go
+++ b/enterprise/coderd/workspaceproxy.go
@ -965,12 +965,8 @@ func convertRegion(proxy database.WorkspaceProxy, status proxyhealth.ProxyStatus
 func convertProxy(p database.WorkspaceProxy, status proxyhealth.ProxyStatus) codersdk.WorkspaceProxy {
 	now := dbtime.Now()
 	if p.IsPrimary() {
-		// Primary is always healthy since the primary serves the api that this
-		// is returned from.
-		u, _ := url.Parse(p.Url)
 		status = proxyhealth.ProxyStatus{
 			Proxy:     p,
-			ProxyHost: u.Host,
 			Status:    proxyhealth.Healthy,
 			Report:    codersdk.ProxyHealthReport{},
 			CheckedAt: now,