synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-09 11:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Worker security policy (#5093)

Browse Source
This commit is contained in:
Bruno Quaresma
2022-11-15 14:02:24 -03:00
committed by GitHub
parent 9fb710a04f
commit e68923fa36
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
site/site.go
View File

@ -251,6 +251,7 @@ const (
CSPDirectiveFormAction = "form-action"
CSPDirectiveMediaSrc = "media-src"
CSPFrameAncestors = "frame-ancestors"
CSPDirectiveWorkerSrc = "worker-src"
)
func cspHeaders(next http.Handler) http.Handler {
@ -283,6 +284,8 @@ func cspHeaders(next http.Handler) http.Handler {
// Report all violations back to the server to log
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
CSPFrameAncestors: {"'none'"},
// worker for loading the .tar files on FE using js-untar
CSPDirectiveWorkerSrc: {"'self' blob:"},
// Only scripts can manipulate the dom. This prevents someone from
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.