You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
28 lines
986 B
28 lines
986 B
package middleware |
|
|
|
import ( |
|
"fmt" |
|
"net/http" |
|
"os" |
|
"strings" |
|
) |
|
|
|
// SetHeaders will set our global headers for web resources. |
|
func SetHeaders(w http.ResponseWriter) { |
|
// Tell Google to not use this response in their FLoC tracking. |
|
w.Header().Set("Permissions-Policy", "interest-cohort=()") |
|
|
|
// When running automated browser tests we must allow `unsafe-eval` in our CSP |
|
// so we can explicitly add it only when needed. |
|
inTest := os.Getenv("BROWSER_TEST") == "true" |
|
unsafeEval := "" |
|
if inTest { |
|
unsafeEval = `'unsafe-eval'` |
|
} |
|
// Content security policy |
|
csp := []string{ |
|
fmt.Sprintf("script-src 'self' %s 'sha256-2HPCfJIJHnY0NrRDPTOdC7AOSJIcQyNxzUuut3TsYRY=' 'sha256-PzXGlTLvNFZ7et6GkP2nD3XuSaAKQVBSYiHzU2ZKm8o=' 'sha256-/wqazZOqIpFSIrNVseblbKCXrezG73X7CMqRSTf+8zw=' 'sha256-jCj2f+ICtd8fvdb0ngc+Hkr/ZnZOMvNkikno/XR6VZs='", unsafeEval), |
|
"worker-src 'self' blob:", // No single quotes around blob: |
|
} |
|
w.Header().Set("Content-Security-Policy", strings.Join(csp, "; ")) |
|
}
|
|
|