Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: allow iframing urls on the same domain as the deployment#18102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 4 commits intomainfromstevenmasley/csp_self_embed
May 29, 2025
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletionscoderd/coderd.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -1532,17 +1532,19 @@ func New(options *Options) *API {

// Add CSP headers to all static assets and pages. CSP headers only affect
// browsers, so these don't make sense on api routes.
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
if api.DeploymentValues.Dangerous.AllowAllCors {
// In this mode, allow all external requests
return []string{"*"}
}
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
return (*f)()
}
// By default we do not add extra websocket connections to the CSP
return []string{}
}, additionalCSPHeaders)
cspMW := httpmw.CSPHeaders(
api.Experiments,
options.Telemetry.Enabled(), func() []string {
if api.DeploymentValues.Dangerous.AllowAllCors {
// In this mode, allow all external requests
return []string{"*"}
}
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
return (*f)()
}
// By default we do not add extra websocket connections to the CSP
return []string{}
}, additionalCSPHeaders)

// Static file handler must be wrapped with HSTS handler if the
// StrictTransportSecurityAge is set. We only need to set this header on
Expand Down
15 changes: 13 additions & 2 deletionscoderd/httpmw/csp.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,6 +4,8 @@ import (
"fmt"
"net/http"
"strings"

"github.com/coder/coder/v2/codersdk"
)

// cspDirectives is a map of all csp fetch directives to their values.
Expand DownExpand Up@@ -37,6 +39,7 @@ const (
CSPDirectiveFormAction CSPFetchDirective = "form-action"
CSPDirectiveMediaSrc CSPFetchDirective = "media-src"
CSPFrameAncestors CSPFetchDirective = "frame-ancestors"
CSPFrameSource CSPFetchDirective = "frame-src"
CSPDirectiveWorkerSrc CSPFetchDirective = "worker-src"
)

Expand All@@ -55,7 +58,7 @@ const (
// Example: https://github.com/coder/coder/issues/15118
//
//nolint:revive
func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions map[CSPFetchDirective][]string) func(next http.Handler) http.Handler {
func CSPHeaders(experiments codersdk.Experiments,telemetry bool, websocketHosts func() []string, staticAdditions map[CSPFetchDirective][]string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
Expand DownExpand Up@@ -88,13 +91,21 @@ func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions
CSPDirectiveMediaSrc: {"'self'"},
// Report all violations back to the server to log
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
CSPFrameAncestors: {"'none'"},

// Only scripts can manipulate the dom. This prevents someone from
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
// "require-trusted-types-for" : []string{"'script'"},
}

if experiments.Enabled(codersdk.ExperimentAITasks) {
// AI tasks use iframe embeds of local apps.
// TODO: Handle region domains too, not just path based apps
cspSrcs.Append(CSPFrameAncestors, `'self'`)
cspSrcs.Append(CSPFrameSource, `'self'`)
} else {
cspSrcs.Append(CSPFrameAncestors, `'none'`)
}

if telemetry {
// If telemetry is enabled, we report to coder.com.
cspSrcs.Append(CSPDirectiveConnectSrc, "https://coder.com")
Expand Down
3 changes: 2 additions & 1 deletioncoderd/httpmw/csp_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/require"

"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/codersdk"
)

func TestCSPConnect(t *testing.T) {
Expand All@@ -20,7 +21,7 @@ func TestCSPConnect(t *testing.T) {
r := httptest.NewRequest(http.MethodGet, "/", nil)
rw := httptest.NewRecorder()

httpmw.CSPHeaders(false, func() []string {
httpmw.CSPHeaders(codersdk.Experiments{},false, func() []string {
return expected
}, map[httpmw.CSPFetchDirective][]string{
httpmw.CSPDirectiveMediaSrc: expectedMedia,
Expand Down
Loading
[8]ページ先頭
©2009-2025 Movatter.jp