From 1712ee81789205203a2bcd783cee8b41cee5df2d Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 18 Feb 2018 10:18:22 +0000
Subject: [PATCH] Fix the Content-Security-Policy of the logout page

Allow loading remote images.
---
 server/http.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/server/http.go b/server/http.go
index c79919f..cd4936c 100644
--- a/server/http.go
+++ b/server/http.go
@@ -270,6 +270,8 @@ func (h *Server) handleLogout(w http.ResponseWriter, req *http.Request, session
 				log.Printf("failed to wipe keystore for user %s: %v", session.Username, err)
 			}
 		}
+
+		w.Header().Set("Content-Security-Policy", logoutContentSecurityPolicy)
 	}
 
 	h.tpl.ExecuteTemplate(w, "logout.html", data)
@@ -342,15 +344,21 @@ func (h *Server) Handler() http.Handler {
 // A relatively strict CSP.
 const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self';"
 
+// Slightly looser CSP for the logout page: it needs to load remote
+// images.
+const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src 'self';"
+
 func withDynamicHeaders(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Pragma", "no-cache")
 		w.Header().Set("Cache-Control", "no-store")
 		w.Header().Set("Expires", "-1")
-		w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
 		w.Header().Set("X-Frame-Options", "NONE")
 		w.Header().Set("X-XSS-Protection", "1; mode=block")
 		w.Header().Set("X-Content-Type-Options", "nosniff")
+		if w.Header().Get("Content-Security-Policy") == "" {
+			w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
+		}
 		h.ServeHTTP(w, r)
 	})
 }
-- 
GitLab