pimhwang
/
spreed-webrtc
mirror of https://github.com/strukturag/spreed-webrtc.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Moved CSP into HTTP response headers for odf and pdf sandbox and allowed blob: and data: img-src.

pull/216/head
Simon Eisenmann 10 years ago
parent
7fcc9b57a6
commit
77d7860ba1
3 changed files with 16 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      html/sandboxes/odfcanvas_sandbox.html
  2. 1
      html/sandboxes/pdfcanvas_sandbox.html
  3. 21
      src/app/spreed-webrtc-server/main.go

1
html/sandboxes/odfcanvas_sandbox.html
Unescape View File

@ -2,7 +2,6 @@
<html> <html>
<head> <head>
<title>WebODF Sandbox</title> <title>WebODF Sandbox</title>
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%>; img-src data:; style-src 'unsafe-inline'">
<base href="<%.Cfg.B%>"> <base href="<%.Cfg.B%>">
<style type="text/css"> <style type="text/css">
html, body { html, body {

1
html/sandboxes/pdfcanvas_sandbox.html
Unescape View File

@ -2,7 +2,6 @@
<html> <html>
<head> <head>
<title>pdf.js Sandbox</title> <title>pdf.js Sandbox</title>
<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src <%.Origin%> 'unsafe-eval'; img-src 'self'; style-src 'unsafe-inline'">
<base href="<%.Cfg.B%>"> <base href="<%.Cfg.B%>">
<style type="text/css"> <style type="text/css">
html, body { html, body {

21
src/app/spreed-webrtc-server/main.go
Unescape View File

@ -181,19 +181,30 @@ func handleSandboxView(sandbox string, origin string, w http.ResponseWriter, r *
w.Header().Set("Expires", "-1") w.Header().Set("Expires", "-1")
w.Header().Set("Cache-Control", "private, max-age=0") w.Header().Set("Cache-Control", "private, max-age=0")
//w.Header().Set("Content-Security-Policy", config.contentSecurityPolicy)
var err error
sandboxTemplateName := fmt.Sprintf("%s_sandbox.html", sandbox) sandboxTemplateName := fmt.Sprintf("%s_sandbox.html", sandbox)
// Prepare context to deliver to HTML.. // Prepare context to deliver to HTML..
if t := templates.Lookup(sandboxTemplateName); t != nil { if t := templates.Lookup(sandboxTemplateName); t != nil {
// CSP support for sandboxes.
var csp string
switch sandbox {
case "odfcanvas":
csp = fmt.Sprintf("default-src 'none'; script-src %s; img-src data: blob:; style-src 'unsafe-inline'", origin)
case "pdfcanvas":
csp = fmt.Sprintf("default-src 'none'; script-src %s 'unsafe-eval'; img-src 'self' data: blob:; style-src 'unsafe-inline'", origin)
default:
csp = "default-src 'none'"
}
w.Header().Set("Content-Security-Policy", csp)
// Prepare context to deliver to HTML.. // Prepare context to deliver to HTML..
context := &Context{Cfg: config, Origin: origin} context := &Context{Cfg: config, Origin: origin, Csp: true}
err = t.Execute(w, &context) err := t.Execute(w, &context)
if err != nil { if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError) http.Error(w, err.Error(), http.StatusInternalServerError)
} }
} else { } else {
http.Error(w, "404 Unknown Sandbox", http.StatusNotFound) http.Error(w, "404 Unknown Sandbox", http.StatusNotFound)
} }

Write Preview
Loading…
Cancel
Save