remove CSP header/custom style hashes
11 files changed, 4 insertions(+), 43 deletions(-)
M domain/web/mux.go → domain/web/mux.go
@@ -1,7 +1,6 @@ package website import ( - "fmt" "net/http" "regexp" "slices"@@ -51,10 +50,6 @@ } analytics.WithTitle(r, file.Title) w.Header().Add("ETag", file.Etag) w.Header().Add("Vary", "Accept-Encoding") - if file.StyleHash != "" { - CSPHeader.StyleSrc = append(CSPHeader.StyleSrc, fmt.Sprintf("'%s'", file.StyleHash)) - } - w.Header().Add("Content-Security-Policy", CSPHeader.String()) for k, v := range ExtraHeaders { w.Header().Add(k, v) }
M domain/web/website.go → domain/web/website.go
@@ -5,7 +5,6 @@ "context" "net/http" "os" "path/filepath" - "slices" "sync" "time"@@ -27,7 +26,6 @@ "alin.ovh/x/log" "github.com/Southclaws/fault" "github.com/Southclaws/fault/fmsg" - "github.com/crewjam/csp" "github.com/osdevisnot/sorvor/pkg/livereload" )@@ -52,21 +50,9 @@ log *log.Logger reader storage.Reader calendar *calendar.Calendar identity *identity.Service - CSP *csp.Header *server.App } -var CSPHeader = csp.Header{ - DefaultSrc: []string{"'none'"}, - FormAction: []string{"'none'"}, - BaseURI: []string{"'none'"}, - ImgSrc: []string{"'self'", "https://pkg.go.dev/"}, - ScriptSrc: []string{"'self'"}, - StyleSrc: []string{"'self'"}, - FrameAncestors: []string{"https://kagi.com"}, - RequireTrustedTypesFor: []csp.RequireTrustedTypesFor{csp.RTTFScript}, -} - var ExtraHeaders = map[string]string{ "Cache-Control": "max-age=14400", "X-Content-Type-Options": "nosniff",@@ -112,11 +98,6 @@ }) roots, err := fetcher.Subscribe() if err != nil { return nil, fault.Wrap(err, fmsg.With("could not set up fetcher")) - } - - if opts.Development { - CSPHeader.ScriptSrc = slices.Insert(CSPHeader.ScriptSrc, 0, "'unsafe-inline'") - CSPHeader.ConnectSrc = slices.Insert(CSPHeader.ConnectSrc, 0, "'self'") } firstUpdate := make(chan bool)
M go.mod → go.mod
@@ -17,7 +17,6 @@ github.com/antchfx/xmlquery v1.4.4 github.com/antchfx/xpath v1.3.3 github.com/ardanlabs/conf/v3 v3.4.0 github.com/benpate/digit v0.13.4 - github.com/crewjam/csp v0.0.2 github.com/deckarep/golang-set/v2 v2.7.0 github.com/fsnotify/fsnotify v1.8.0 github.com/go-git/go-git/v5 v5.14.0
M go.sum → go.sum
@@ -111,8 +111,6 @@ github.com/creachadair/taskgroup v0.13.2 h1:3KyqakBuFsm3KkXi/9XIb0QcA8tEzLHLgaoidf0MdVc= github.com/creachadair/taskgroup v0.13.2/go.mod h1:i3V1Zx7H8RjwljUEeUWYT30Lmb9poewSb2XI1yTwD0g= github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0= github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE= -github.com/crewjam/csp v0.0.2 h1:fIq6o0Z6bkABlvLT3kB0XgPnVX9iNXSAGMILs6AqHVw= -github.com/crewjam/csp v0.0.2/go.mod h1:0tirp4wHwMLZZtV+HXRqGFkUO7uD2ux+1ECvK+7/xFI= github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
M gomod2nix.toml → gomod2nix.toml
@@ -136,9 +136,6 @@ hash = "sha256-jEaJSKcwmKtXFkvtxwpEdFMdazXZM6bY2u5TGBimklI=" [mod."github.com/coreos/go-iptables"] version = "v0.7.1-0.20240112124308-65c67c9f46e6" hash = "sha256-kjnry8ld5Keew5q+tX7GSdGVZaXlehs2Lt+z8Rokhns=" - [mod."github.com/crewjam/csp"] - version = "v0.0.2" - hash = "sha256-4vlGmDdQjPiXmueCV51fJH/hRcG8eqhCi9TENCXjzfA=" [mod."github.com/cyphar/filepath-securejoin"] version = "v0.4.1" hash = "sha256-NOV6MfbkcQbfhNmfADQw2SJmZ6q1nw0wwg8Pm2tf2DM="