Commit57b38e5

authored

fix: allow coder.com in CSP if telemetry is enabled (#13615)

* fix: allow coder.com in CSP if telemetry is enabled* Fix control couple lint

1 parent0793a4b commit57b38e5Copy full SHA for 57b38e5

File tree

+10

-3

lines changed

+10

-3

lines changed

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1210,7 +1210,7 @@ func New(options Options) API {`
`1210`	`1210`
`1211`	`1211`	`// Add CSP headers to all static assets and pages. CSP headers only affect`
`1212`	`1212`	`// browsers, so these don't make sense on api routes.`
`1213`		`-cspMW:=httpmw.CSPHeaders(func() []string {`
	`1213`	`+cspMW:=httpmw.CSPHeaders(options.Telemetry.Enabled(),func() []string {`
`1214`	`1214`	`ifapi.DeploymentValues.Dangerous.AllowAllCors {`
`1215`	`1215`	`// In this mode, allow all external requests`
`1216`	`1216`	`return []string{"*"}`

Lines changed: 8 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,9 @@ const (`
`43`	`43`	`// CSPHeaders returns a middleware that sets the Content-Security-Policy header`
`44`	`44`	`// for coderd. It takes a function that allows adding supported external websocket`
`45`	`45`	`// hosts. This is primarily to support the terminal connecting to a workspace proxy.`
`46`		`-funcCSPHeaders(websocketHostsfunc() []string)func(next http.Handler) http.Handler {`
	`46`	`+//`
	`47`	`+//nolint:revive`
	`48`	`+funcCSPHeaders(telemetrybool,websocketHostsfunc() []string)func(next http.Handler) http.Handler {`
`47`	`49`	`returnfunc(next http.Handler) http.Handler {`
`48`	`50`	`returnhttp.HandlerFunc(func(w http.ResponseWriter,r*http.Request) {`
`49`	`51`	`// Content-Security-Policy disables loading certain content types and can prevent XSS injections.`
`@@ -83,6 +85,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han`
`83`	`85`	`// "require-trusted-types-for" : []string{"'script'"},`
`84`	`86`	`}`
`85`	`87`
	`88`	`+iftelemetry {`
	`89`	`+// If telemetry is enabled, we report to coder.com.`
	`90`	`+cspSrcs.Append(cspDirectiveConnectSrc,"https://coder.com")`
	`91`	`+}`
	`92`	`+`
`86`	`93`	`// This extra connect-src addition is required to support old webkit`
`87`	`94`	`// based browsers (Safari).`
`88`	`95`	`// See issue: https://github.com/w3c/webappsec-csp/issues/7`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ func TestCSPConnect(t *testing.T) {`
`19`	`19`	`r:=httptest.NewRequest(http.MethodGet,"/",nil)`
`20`	`20`	`rw:=httptest.NewRecorder()`
`21`	`21`
`22`		`-httpmw.CSPHeaders(func() []string {`
	`22`	`+httpmw.CSPHeaders(false,func() []string {`
`23`	`23`	`returnexpected`
`24`	`24`	`})(http.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`25`	`25`	`rw.WriteHeader(http.StatusOK)`

Comments

(0)