fix: Worker security policy (#5093)

This commit is contained in:
Bruno Quaresma
2022-11-15 14:02:24 -03:00
committed by GitHub
parent 9fb710a04f
commit e68923fa36

View File

@ -251,6 +251,7 @@ const (
CSPDirectiveFormAction = "form-action"
CSPDirectiveMediaSrc = "media-src"
CSPFrameAncestors = "frame-ancestors"
CSPDirectiveWorkerSrc = "worker-src"
)
func cspHeaders(next http.Handler) http.Handler {
@ -283,6 +284,8 @@ func cspHeaders(next http.Handler) http.Handler {
// Report all violations back to the server to log
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
CSPFrameAncestors: {"'none'"},
// worker for loading the .tar files on FE using js-untar
CSPDirectiveWorkerSrc: {"'self' blob:"},
// Only scripts can manipulate the dom. This prevents someone from
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.