Push CSPs for non-HTTPS connections too.

This commit is contained in:
Azareal 2019-11-04 20:11:07 +10:00
parent 3beb2ed61b
commit 0f75e96a2d
2 changed files with 15 additions and 9 deletions

View File

@ -10,7 +10,7 @@ import (
c "github.com/Azareal/Gosora/common" c "github.com/Azareal/Gosora/common"
) )
var successJSONBytes = []byte(`{"success":"1"}`) var successJSONBytes = []byte(`{"success":1}`)
func ParseSEOURL(urlBit string) (slug string, id int, err error) { func ParseSEOURL(urlBit string) (slug string, id int, err error) {
halves := strings.Split(urlBit, ".") halves := strings.Split(urlBit, ".")
@ -29,7 +29,7 @@ func doPush(w http.ResponseWriter, header *c.Header) {
if c.Config.EnableCDNPush { if c.Config.EnableCDNPush {
// TODO: Cache these in a sync.Pool? // TODO: Cache these in a sync.Pool?
var sb strings.Builder var sb strings.Builder
var push = func(in []string) { push := func(in []string) {
sb.Grow((slen1 + 5) * len(in)) sb.Grow((slen1 + 5) * len(in))
for _, path := range in { for _, path := range in {
sb.WriteString("</s/") sb.WriteString("</s/")
@ -67,7 +67,7 @@ func doPush(w http.ResponseWriter, header *c.Header) {
} }
//fmt.Println("has pusher") //fmt.Println("has pusher")
var push = func(in []string) { push := func(in []string) {
for _, path := range in { for _, path := range in {
//fmt.Println("pushing /s/" + path) //fmt.Println("pushing /s/" + path)
// TODO: Avoid concatenating here // TODO: Avoid concatenating here
@ -98,9 +98,12 @@ func renderTemplate2(tmplName string, hookName string, w http.ResponseWriter, r
} }
func FootHeaders(w http.ResponseWriter, header *c.Header) { func FootHeaders(w http.ResponseWriter, header *c.Header) {
// TODO: Expand this to non-HTTPS requests too if !header.LooseCSP {
if !header.LooseCSP && c.Site.EnableSsl { if c.Site.EnableSsl {
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self' www.youtube-nocookie.com;upgrade-insecure-requests") w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self' www.youtube-nocookie.com;upgrade-insecure-requests")
} else {
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self' www.youtube-nocookie.com")
}
} }
// Server pushes can backfire on certain browsers, so we want to make sure it's only triggered for ones where it'll help // Server pushes can backfire on certain browsers, so we want to make sure it's only triggered for ones where it'll help

View File

@ -23,9 +23,12 @@ func successRedirect(dest string, w http.ResponseWriter, r *http.Request, js boo
// TODO: Prerender needs to handle dyntmpl templates better... // TODO: Prerender needs to handle dyntmpl templates better...
func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, header *c.Header, pi interface{}) c.RouteError { func renderTemplate(tmplName string, w http.ResponseWriter, r *http.Request, header *c.Header, pi interface{}) c.RouteError {
// TODO: Expand this to non-HTTPS requests too if !header.LooseCSP {
if !header.LooseCSP && c.Site.EnableSsl { if c.Site.EnableSsl {
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self';upgrade-insecure-requests") w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self';upgrade-insecure-requests")
} else {
w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; img-src * data: 'unsafe-eval' 'unsafe-inline'; connect-src * 'unsafe-eval' 'unsafe-inline'; frame-src 'self'")
}
} }
header.AddScript("global.js") header.AddScript("global.js")