Commit 81b8bd24 authored by ale's avatar ale

Stricter Content-Security-Policy headers

Adds the 'base-uri', 'form-action' and 'frame-ancestors' properties.
parent 72bb1ac7
Pipeline #6705 passed with stages
in 2 minutes and 53 seconds
......@@ -30,11 +30,11 @@ import (
)
// A relatively strict CSP.
const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self';"
const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"
// Slightly looser CSP for the logout page: it needs to load remote
// images.
const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *;"
const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"
// Returns the URL of the login handler on the target service.
func serviceLoginCallback(service, destination, token string) string {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment