mirror of
https://github.com/coder/coder.git
synced 2025-07-09 11:45:56 +00:00
fix: Worker security policy (#5093)
This commit is contained in:
@ -251,6 +251,7 @@ const (
|
||||
CSPDirectiveFormAction = "form-action"
|
||||
CSPDirectiveMediaSrc = "media-src"
|
||||
CSPFrameAncestors = "frame-ancestors"
|
||||
CSPDirectiveWorkerSrc = "worker-src"
|
||||
)
|
||||
|
||||
func cspHeaders(next http.Handler) http.Handler {
|
||||
@ -283,6 +284,8 @@ func cspHeaders(next http.Handler) http.Handler {
|
||||
// Report all violations back to the server to log
|
||||
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
|
||||
CSPFrameAncestors: {"'none'"},
|
||||
// worker for loading the .tar files on FE using js-untar
|
||||
CSPDirectiveWorkerSrc: {"'self' blob:"},
|
||||
|
||||
// Only scripts can manipulate the dom. This prevents someone from
|
||||
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
|
||||
|
Reference in New Issue
Block a user