don't report csp violations by default
This commit is contained in:
Ted Unangst
parent
9de375d169
commit
79756a6b0f
9
web.go
9
web.go
|
|
@ -2560,6 +2560,9 @@ func apihandler(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func fiveoh(w http.ResponseWriter, r *http.Request) {
|
func fiveoh(w http.ResponseWriter, r *http.Request) {
|
||||||
|
if !develMode {
|
||||||
|
return
|
||||||
|
}
|
||||||
fd, err := os.OpenFile("violations.json", os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
|
fd, err := os.OpenFile("violations.json", os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
elog.Printf("error opening violations! %s", err)
|
elog.Printf("error opening violations! %s", err)
|
||||||
|
|
@ -2606,7 +2609,11 @@ func bgmonitor() {
|
||||||
|
|
||||||
func addcspheaders(next http.Handler) http.Handler {
|
func addcspheaders(next http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
w.Header().Set("Content-Security-Policy", "default-src 'none'; script-src 'self'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'; report-uri /csp-violation")
|
policy := "default-src 'none'; script-src 'self'; connect-src 'self'; style-src 'self'; img-src 'self'; media-src 'self'"
|
||||||
|
if develMode {
|
||||||
|
policy += "; report-uri /csp-violation"
|
||||||
|
}
|
||||||
|
w.Header().Set("Content-Security-Policy", policy)
|
||||||
next.ServeHTTP(w, r)
|
next.ServeHTTP(w, r)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue