NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commite4648b6

authored

feat: allow iframing urls on the same domain as the deployment (#18102)

Used for AI tasks. We should eventually add regions to this csp header.

1 parent201b0b1 commite4648b6Copy full SHA for e4648b6

File tree

3 files changed

+28

-14

lines changed

coderd
- coderd.go
- httpmw
  - csp.go
  - csp_test.go

3 files changed

+28

-14

lines changed

`‎coderd/coderd.go`

Lines changed: 13 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -1532,17 +1532,19 @@ func New(options Options) API {`
`1532`	`1532`
`1533`	`1533`	`// Add CSP headers to all static assets and pages. CSP headers only affect`
`1534`	`1534`	`// browsers, so these don't make sense on api routes.`
`1535`		`-cspMW:=httpmw.CSPHeaders(options.Telemetry.Enabled(),func() []string {`
`1536`		`-ifapi.DeploymentValues.Dangerous.AllowAllCors {`
`1537`		`-// In this mode, allow all external requests`
`1538`		`-return []string{"*"}`
`1539`		`-}`
`1540`		`-iff:=api.WorkspaceProxyHostsFn.Load();f!=nil {`
`1541`		`-return (*f)()`
`1542`		`-}`
`1543`		`-// By default we do not add extra websocket connections to the CSP`
`1544`		`-return []string{}`
`1545`		`-},additionalCSPHeaders)`
	`1535`	`+cspMW:=httpmw.CSPHeaders(`
	`1536`	`+api.Experiments,`
	`1537`	`+options.Telemetry.Enabled(),func() []string {`
	`1538`	`+ifapi.DeploymentValues.Dangerous.AllowAllCors {`
	`1539`	`+// In this mode, allow all external requests`
	`1540`	`+return []string{"*"}`
	`1541`	`+}`
	`1542`	`+iff:=api.WorkspaceProxyHostsFn.Load();f!=nil {`
	`1543`	`+return (*f)()`
	`1544`	`+}`
	`1545`	`+// By default we do not add extra websocket connections to the CSP`
	`1546`	`+return []string{}`
	`1547`	`+},additionalCSPHeaders)`
`1546`	`1548`
`1547`	`1549`	`// Static file handler must be wrapped with HSTS handler if the`
`1548`	`1550`	`// StrictTransportSecurityAge is set. We only need to set this header on`

`‎coderd/httpmw/csp.go`

Lines changed: 13 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@ import (`
`4`	`4`	`"fmt"`
`5`	`5`	`"net/http"`
`6`	`6`	`"strings"`
	`7`	`+`
	`8`	`+"github.com/coder/coder/v2/codersdk"`
`7`	`9`	`)`
`8`	`10`
`9`	`11`	`// cspDirectives is a map of all csp fetch directives to their values.`
`@@ -37,6 +39,7 @@ const (`
`37`	`39`	`CSPDirectiveFormActionCSPFetchDirective="form-action"`
`38`	`40`	`CSPDirectiveMediaSrcCSPFetchDirective="media-src"`
`39`	`41`	`CSPFrameAncestorsCSPFetchDirective="frame-ancestors"`
	`42`	`+CSPFrameSourceCSPFetchDirective="frame-src"`
`40`	`43`	`CSPDirectiveWorkerSrcCSPFetchDirective="worker-src"`
`41`	`44`	`)`
`42`	`45`
`@@ -55,7 +58,7 @@ const (`
`55`	`58`	`// Example: https://github.com/coder/coder/issues/15118`
`56`	`59`	`//`
`57`	`60`	`//nolint:revive`
`58`		`-funcCSPHeaders(telemetrybool,websocketHostsfunc() []string,staticAdditionsmap[CSPFetchDirective][]string)func(next http.Handler) http.Handler {`
	`61`	`+funcCSPHeaders(experiments codersdk.Experiments,telemetrybool,websocketHostsfunc() []string,staticAdditionsmap[CSPFetchDirective][]string)func(next http.Handler) http.Handler {`
`59`	`62`	`returnfunc(next http.Handler) http.Handler {`
`60`	`63`	`returnhttp.HandlerFunc(func(w http.ResponseWriter,r*http.Request) {`
`61`	`64`	`// Content-Security-Policy disables loading certain content types and can prevent XSS injections.`
`@@ -88,13 +91,21 @@ func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions`
`88`	`91`	`CSPDirectiveMediaSrc: {"'self'"},`
`89`	`92`	`// Report all violations back to the server to log`
`90`	`93`	`CSPDirectiveReportURI: {"/api/v2/csp/reports"},`
`91`		`-CSPFrameAncestors: {"'none'"},`
`92`	`94`
`93`	`95`	`// Only scripts can manipulate the dom. This prevents someone from`
`94`	`96`	`// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.`
`95`	`97`	`// "require-trusted-types-for" : []string{"'script'"},`
`96`	`98`	`}`
`97`	`99`
	`100`	`+ifexperiments.Enabled(codersdk.ExperimentAITasks) {`
	`101`	`+// AI tasks use iframe embeds of local apps.`
	`102`	`+// TODO: Handle region domains too, not just path based apps`
	`103`	+cspSrcs.Append(CSPFrameAncestors,`'self'`)
	`104`	+cspSrcs.Append(CSPFrameSource,`'self'`)
	`105`	`+}else {`
	`106`	+cspSrcs.Append(CSPFrameAncestors,`'none'`)
	`107`	`+}`
	`108`	`+`
`98`	`109`	`iftelemetry {`
`99`	`110`	`// If telemetry is enabled, we report to coder.com.`
`100`	`111`	`cspSrcs.Append(CSPDirectiveConnectSrc,"https://coder.com")`

`‎coderd/httpmw/csp_test.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import (`
`9`	`9`	`"github.com/stretchr/testify/require"`
`10`	`10`
`11`	`11`	`"github.com/coder/coder/v2/coderd/httpmw"`
	`12`	`+"github.com/coder/coder/v2/codersdk"`
`12`	`13`	`)`
`13`	`14`
`14`	`15`	`funcTestCSPConnect(t*testing.T) {`
`@@ -20,7 +21,7 @@ func TestCSPConnect(t *testing.T) {`
`20`	`21`	`r:=httptest.NewRequest(http.MethodGet,"/",nil)`
`21`	`22`	`rw:=httptest.NewRecorder()`
`22`	`23`
`23`		`-httpmw.CSPHeaders(false,func() []string {`
	`24`	`+httpmw.CSPHeaders(codersdk.Experiments{},false,func() []string {`
`24`	`25`	`returnexpected`
`25`	`26`	`},map[httpmw.CSPFetchDirective][]string{`
`26`	`27`	`httpmw.CSPDirectiveMediaSrc:expectedMedia,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite4648b6

File tree

3 files changed

3 files changed

`‎coderd/coderd.go`

`‎coderd/httpmw/csp.go`

`‎coderd/httpmw/csp_test.go`

0 commit comments