Skip to content

Commit 57b38e5

Browse files
kylecarbskylecarbs
authored
fix: allow coder.com in CSP if telemetry is enabled (#13615)
* fix: allow coder.com in CSP if telemetry is enabled * Fix control couple lint
1 parent 0793a4b commit 57b38e5

File tree

3 files changed

+10
-3
lines changed

3 files changed

+10
-3
lines changed

coderd/coderd.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1210,7 +1210,7 @@ func New(options *Options) *API {
12101210

12111211
// Add CSP headers to all static assets and pages. CSP headers only affect
12121212
// browsers, so these don't make sense on api routes.
1213-
cspMW := httpmw.CSPHeaders(func() []string {
1213+
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
12141214
if api.DeploymentValues.Dangerous.AllowAllCors {
12151215
// In this mode, allow all external requests
12161216
return []string{"*"}

coderd/httpmw/csp.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,9 @@ const (
4343
// CSPHeaders returns a middleware that sets the Content-Security-Policy header
4444
// for coderd. It takes a function that allows adding supported external websocket
4545
// hosts. This is primarily to support the terminal connecting to a workspace proxy.
46-
func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler {
46+
//
47+
//nolint:revive
48+
func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler {
4749
return func(next http.Handler) http.Handler {
4850
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
4951
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
@@ -83,6 +85,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han
8385
// "require-trusted-types-for" : []string{"'script'"},
8486
}
8587

88+
if telemetry {
89+
// If telemetry is enabled, we report to coder.com.
90+
cspSrcs.Append(cspDirectiveConnectSrc, "https://coder.com")
91+
}
92+
8693
// This extra connect-src addition is required to support old webkit
8794
// based browsers (Safari).
8895
// See issue: https://github.com/w3c/webappsec-csp/issues/7

coderd/httpmw/csp_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ func TestCSPConnect(t *testing.T) {
1919
r := httptest.NewRequest(http.MethodGet, "/", nil)
2020
rw := httptest.NewRecorder()
2121

22-
httpmw.CSPHeaders(func() []string {
22+
httpmw.CSPHeaders(false, func() []string {
2323
return expected
2424
})(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
2525
rw.WriteHeader(http.StatusOK)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy