synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: allow iframing urls on the same domain as the deployment (#18102)

Browse Source 
Used for AI tasks. We should eventually add regions to this csp header.
This commit is contained in:
Steven Masley
2025-05-29 10:07:57 -05:00
committed by GitHub
parent 201b0b10e8
commit e4648b6fc1
3 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
coderd/coderd.go
View File

@ -1532,17 +1532,19 @@ func New(options *Options) *API {
// Add CSP headers to all static assets and pages. CSP headers only affect
// browsers, so these don't make sense on api routes.
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
if api.DeploymentValues.Dangerous.AllowAllCors {
// In this mode, allow all external requests
return []string{"*"}
}
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
return (*f)()
}
// By default we do not add extra websocket connections to the CSP
return []string{}
}, additionalCSPHeaders)
cspMW := httpmw.CSPHeaders(
api.Experiments,
options.Telemetry.Enabled(), func() []string {
if api.DeploymentValues.Dangerous.AllowAllCors {
// In this mode, allow all external requests
return []string{"*"}
}
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
return (*f)()
}
// By default we do not add extra websocket connections to the CSP
return []string{}
}, additionalCSPHeaders)
// Static file handler must be wrapped with HSTS handler if the
// StrictTransportSecurityAge is set. We only need to set this header on