Added support to enable Content-Security-Policy and Content-Security-Policy-Report-Only.

Export Csp boolean flag in global context (true if CSP is enabled).
Load extra styles if CSP is enabled.

html/head.html

@@ -5,6 +5,7 @@
 <meta name="mobile-web-app-capable" content="yes">
 <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
 <base href="<%.Cfg.B%>">
+<%if.Csp%><link rel="stylesheet" type="text/css" href="<%.Cfg.S%>/css/csp.min.css"><%end%>
 <link rel="stylesheet" type="text/css" href="<%.Cfg.S%>/css/bootstrap.min.css">
 <link rel="stylesheet" type="text/css" href="<%.Cfg.S%>/css/font-awesome.min.css">
 <link rel="stylesheet" type="text/css" href="<%.Cfg.S%>/css/main.min.css">

html/main.html

@@ -1,5 +1,5 @@
 <%define "mainPage"%><!doctype html>
-<html class="no-js">
+<html class="no-js" <%if.Csp%>ng-csp<%end%>>
 <head>
 <%template "head" .%>
 </head>

server.conf.in

@@ -101,6 +101,10 @@ serverRealm = local
 ; a front end webserver. Check the doc folder for more info about plugins and
 ; examples.
 ;plugin = extra/static/myplugin.js
+; Content-Security-Policy HTTP response header value.
+;contentSecurityPolicy =
+; Content-Security-Policy-Report-Only HTTP response header value.
+;contentSecurityPolicyReportOnly =
 
 [log]
 ;logfile = /var/log/spreed-webrtc-server.log

src/app/spreed-webrtc-server/config.go

@@ -47,6 +47,8 @@ type Config struct {
 	Plugin                          string   // Plugin to load
 	globalRoomID                    string   // Id of the global room (not exported to Javascript)
 	authorizeRoomCreation           bool     // Whether a user account is required to create rooms (not exported to Javascript)
+	contentSecurityPolicy           string   // HTML content security policy
+	contentSecurityPolicyReportOnly string   // HTML content security policy in report only mode
 }
 
 func NewConfig(container phoenix.Container, tokens bool) *Config {
@@ -100,6 +102,8 @@ func NewConfig(container phoenix.Container, tokens bool) *Config {
 		Plugin:                          container.GetStringDefault("app", "plugin", ""),
 		globalRoomID:                    container.GetStringDefault("app", "globalRoom", ""),
 		authorizeRoomCreation:           container.GetBoolDefault("app", "authorizeRoomCreation", false),
+		contentSecurityPolicy:           container.GetStringDefault("app", "contentSecurityPolicy", ""),
+		contentSecurityPolicyReportOnly: container.GetStringDefault("app", "contentSecurityPolicyReportOnly", ""),
 	}
 }
 

src/app/spreed-webrtc-server/context.go

@@ -26,6 +26,7 @@ type Context struct {
 	Cfg       *Config
 	Host      string
 	Ssl       bool
+	Csp       bool
 	Languages []string
 	Room      string `json:"-"`
 	Scheme    string `json:"-"`

src/app/spreed-webrtc-server/main.go

@@ -109,6 +109,17 @@ func handleRoomView(room string, w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Expires", "-1")
 	w.Header().Set("Cache-Control", "private, max-age=0")
 
+	csp := false
+
+	if config.contentSecurityPolicy != "" {
+		w.Header().Set("Content-Security-Policy", config.contentSecurityPolicy)
+		csp = true
+	}
+	if config.contentSecurityPolicyReportOnly != "" {
+		w.Header().Set("Content-Security-Policy-Report-Only", config.contentSecurityPolicyReportOnly)
+		csp = true
+	}
+
 	scheme := "http"
 
 	// Detect if the request was made with SSL.
@@ -126,7 +137,7 @@ func handleRoomView(room string, w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Prepare context to deliver to HTML..
-	context := &Context{Cfg: config, App: "main", Host: r.Host, Scheme: scheme, Ssl: ssl, Languages: langs, Room: room}
+	context := &Context{Cfg: config, App: "main", Host: r.Host, Scheme: scheme, Ssl: ssl, Csp: csp, Languages: langs, Room: room}
 
 	// Get URL parameters.
 	r.ParseForm()

src/styles/Makefile.am

@@ -36,6 +36,8 @@ styles:
 		$(CURDIR)/bootstrap.scss:$(STATIC)/css/bootstrap.min.css
 	$(SASS) --compass --scss $(SASSFLAGS) \
 		$(CURDIR)/font-awesome.scss:$(STATIC)/css/font-awesome.min.css
+	$(SASS) --compass --scss $(SASSFLAGS) \
+		$(CURDIR)/csp.scss:$(STATIC)/css/csp.min.css
 
 styleshint:
 	@if [ "$(SASS)" = "" ]; then echo "Command 'sass' not found, required when checking styles"; exit 1; fi

src/styles/csp.scss

@@ -0,0 +1,22 @@
+/*!
+ * Spreed WebRTC.
+ * Copyright (C) 2013-2014 struktur AG
+ *
+ * This file is part of Spreed WebRTC.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+@import "libs/angular/angular-csp.scss";

src/styles/libs/_libs.scss

@@ -2,3 +2,4 @@
 @import "hidpi";
 @import "toastr/toastr.scss";
 @import "dialogs";
+@import "angular/angular.scss";

src/styles/libs/angular/angular-csp.scss

@@ -0,0 +1,41 @@
+/*
+ * Spreed WebRTC.
+ * Copyright (C) 2013-2014 struktur AG
+ *
+ * This file is part of Spreed WebRTC.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+[ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak],
+.ng-cloak, .x-ng-cloak,
+.ng-hide {
+  display: none !important;
+}
+
+ng\:form {
+  display: block;
+}
+
+.ng-animate-block-transitions {
+  transition:0s all!important;
+  -webkit-transition:0s all!important;
+}
+
+/* show the element during a show/hide animation when the
+ * animation is ongoing, but the .ng-hide class is active */
+.ng-hide-add-active, .ng-hide-remove {
+  display: block!important;
+}

src/styles/main.scss

@@ -30,7 +30,6 @@
 @import "global/loader";
 @import "global/views";
 @import "global/pages";
-@import "global/angular";
 @import "global/nicescroll";
 @import "global/animations";
 @import "global/overlaybar";

static/css/csp.min.css

@@ -0,0 +1,20 @@
+/*!
+ * Spreed WebRTC.
+ * Copyright (C) 2013-2014 struktur AG
+ *
+ * This file is part of Spreed WebRTC.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */[ng\:cloak],[ng-cloak],[data-ng-cloak],[x-ng-cloak],.ng-cloak,.x-ng-cloak,.ng-hide{display:none !important}ng\:form{display:block}.ng-animate-block-transitions{transition:0s all !important;-webkit-transition:0s all !important}.ng-hide-add-active,.ng-hide-remove{display:block !important}

static/js/main.js

@@ -273,7 +273,7 @@ if (Object.create) {
 					// Wait for all others to complete and then boostrap the main app.
 					$q.all(promises).then(function() {
 						console.log("Bootstrapping ...");
-						angular.bootstrap(document, ['app'], {
+						angular.bootstrap(document.body, ['app'], {
 							strictDi: true
 						});
 					});