Skip to content

Commit

Permalink
Add wasm to content security policy for web ssh terminal (#48849)
Browse files Browse the repository at this point in the history
Without this, wasm modules imported by xtermjs cannot function. This
follows the same policy as web desktop sessions
  • Loading branch information
avatus authored Nov 13, 2024
1 parent 8ea9e7d commit 3a65e3e
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
6 changes: 5 additions & 1 deletion lib/httplib/httpheaders.go
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,10 @@ var desktopSessionRe = regexp.MustCompile(`^/web/cluster/[^/]+/desktops/[^/]+/[^
// which is a route to a desktop recording that uses WASM.
var recordingRe = regexp.MustCompile(`^/web/cluster/[^/]+/session/[^/]+$`)

// regex for the ssh terminal endpoint /web/cluster/:clusterId/console/node/:sid/:login
// which is a route to a ssh session that uses WASM.
var sshSessionRe = regexp.MustCompile(`^/web/cluster/[^/]+/console/node/[^/]+/[^/]+$`)

var indexCSPStringCache *cspCache = newCSPCache()

func getIndexContentSecurityPolicyString(cfg proto.Features, urlPath string) string {
Expand All @@ -197,7 +201,7 @@ func getIndexContentSecurityPolicyString(cfg proto.Features, urlPath string) str
}

// Nothing found in cache, calculate regex and result
withWasm := desktopSessionRe.MatchString(urlPath) || recordingRe.MatchString(urlPath)
withWasm := desktopSessionRe.MatchString(urlPath) || recordingRe.MatchString(urlPath) || sshSessionRe.MatchString(urlPath)
cspString := GetContentSecurityPolicyString(
getIndexContentSecurityPolicy(withWasm),
)
Expand Down
17 changes: 17 additions & 0 deletions lib/httplib/httplib_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -327,6 +327,23 @@ func TestSetIndexContentSecurityPolicy(t *testing.T) {
"connect-src": "'self' wss:",
},
},
{
name: "for web ssh session (with wasm)",
features: proto.Features{},
urlPath: "/web/cluster/:clusterId/console/node/:sessionId/:username",
expectedCspVals: map[string]string{
"default-src": "'self'",
"base-uri": "'self'",
"form-action": "'self'",
"frame-ancestors": "'none'",
"object-src": "'none'",
"script-src": "'self' 'wasm-unsafe-eval'",
"style-src": "'self' 'unsafe-inline'",
"img-src": "'self' data: blob:",
"font-src": "'self' data:",
"connect-src": "'self' wss:",
},
},
{
name: "for cloud based usage & desktop session, with wasm",
features: proto.Features{Cloud: true, IsUsageBased: true, IsStripeManaged: true},
Expand Down

0 comments on commit 3a65e3e

Please sign in to comment.