Stricter Content-Security-Policy headers

Adds the 'base-uri', 'form-action' and 'frame-ancestors' properties.

Stricter Content-Security-Policy headers
Adds the 'base-uri', 'form-action' and 'frame-ancestors' properties.
81b8bd24 · ale · 72bb1ac7 · 81b8bd24
Commit 81b8bd24 authored May 04, 2020 by ale
--- a/server/http.go
+++ b/server/http.go
@@ -30,11 +30,11 @@ import (
 )

 // A relatively strict CSP.
-const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self';"
+const contentSecurityPolicy = "default-src 'none'; img-src 'self' data:; script-src 'self'; style-src 'self'; connect-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"

 // Slightly looser CSP for the logout page: it needs to load remote
 // images.
-const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *;"
+const logoutContentSecurityPolicy = "default-src 'none'; img-src *; script-src 'self'; style-src 'self'; connect-src *; frame-ancestors 'none'; form-action 'self'; base-uri 'none';"

 // Returns the URL of the login handler on the target service.
 func serviceLoginCallback(service, destination, token string) string {