-
-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
browse: add Content-Security-Policy w/ nonce #6425
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the clever enhancement! I like this a lot. Just one question for you, then I think we can merge this.
Also... lol, I love all these test cases: https://alma.stbu.net/testing-something/test-cases/ |
I did notice there's still CSP warnings in Firefox:
|
I will have a look on this. |
I will make the following changes to the Content Security Policy to address specific warnings:
After these changes, only the following warning will remain due to the presence of
Unfortunately, Firefox will log this directive being ignored. We must make a trade-off between this warning and maintaining backward compatibility. |
This pull request is adding a Content-Security-Policy (CSP) response header to the file server browse template. The CSP Version 3 is using
strict-dynamic
forscript-src
andstyle-src
with a generated, uniquenonce
, which is then used in<script>
and<style>
to whitelist the content of such elements.Also:
svg
such as the caddy-logo, have been changed into svg-attributes.body
orhref
attribute to a dedicated <script> section with an event listener.See also: https://caddy.community/t/best-practice-csp-for-file-server-browse/24714
Right now, the CSP is enabled by default with
$enableCsp := true
, so it would be also rather easy to disable it with this single change in a custom browse templates.At the moment, this browse template is active here: https://alma.stbu.net/testing-something/