mirror of
https://github.com/coder/coder.git
synced 2025-07-12 00:14:10 +00:00
fix: Worker security policy (#5093)
This commit is contained in:
@ -251,6 +251,7 @@ const (
|
|||||||
CSPDirectiveFormAction = "form-action"
|
CSPDirectiveFormAction = "form-action"
|
||||||
CSPDirectiveMediaSrc = "media-src"
|
CSPDirectiveMediaSrc = "media-src"
|
||||||
CSPFrameAncestors = "frame-ancestors"
|
CSPFrameAncestors = "frame-ancestors"
|
||||||
|
CSPDirectiveWorkerSrc = "worker-src"
|
||||||
)
|
)
|
||||||
|
|
||||||
func cspHeaders(next http.Handler) http.Handler {
|
func cspHeaders(next http.Handler) http.Handler {
|
||||||
@ -283,6 +284,8 @@ func cspHeaders(next http.Handler) http.Handler {
|
|||||||
// Report all violations back to the server to log
|
// Report all violations back to the server to log
|
||||||
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
|
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
|
||||||
CSPFrameAncestors: {"'none'"},
|
CSPFrameAncestors: {"'none'"},
|
||||||
|
// worker for loading the .tar files on FE using js-untar
|
||||||
|
CSPDirectiveWorkerSrc: {"'self' blob:"},
|
||||||
|
|
||||||
// Only scripts can manipulate the dom. This prevents someone from
|
// Only scripts can manipulate the dom. This prevents someone from
|
||||||
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
|
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
|
||||||
|
Reference in New Issue
Block a user