Commit 1712ee81 authored by ale's avatar ale

Fix the Content-Security-Policy of the logout page

Allow loading remote images.
parent 10356d24
Pipeline #907 passed with stages
in 1 minute and 11 seconds
......@@ -270,6 +270,8 @@ func (h *Server) handleLogout(w http.ResponseWriter, req *http.Request, session
log.Printf("failed to wipe keystore for user %s: %v", session.Username, err)
w.Header().Set("Content-Security-Policy", logoutContentSecurityPolicy)
h.tpl.ExecuteTemplate(w, "logout.html", data)
......@@ -342,15 +344,21 @@ func (h *Server) Handler() http.Handler {
// A relatively strict CSP.
const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self';"
// Slightly looser CSP for the logout page: it needs to load remote
// images.
const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src 'self';"
func withDynamicHeaders(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Pragma", "no-cache")
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("Expires", "-1")
w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
w.Header().Set("X-Frame-Options", "NONE")
w.Header().Set("X-XSS-Protection", "1; mode=block")
w.Header().Set("X-Content-Type-Options", "nosniff")
if w.Header().Get("Content-Security-Policy") == "" {
w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
h.ServeHTTP(w, r)
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment