From c00ed962caa5f5e7a13051de9352f0082bda36b3 Mon Sep 17 00:00:00 2001 From: flyinghermit Date: Mon, 22 Jul 2024 16:17:03 -0400 Subject: [PATCH 1/3] refactor: export getContentSecurityPolicyString --- lib/httplib/httpheaders.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go index 1fae246120433..93254de7b9c10 100644 --- a/lib/httplib/httpheaders.go +++ b/lib/httplib/httpheaders.go @@ -106,11 +106,11 @@ func combineCSPMaps(cspMaps ...cspMap) cspMap { return combinedMap } -// getContentSecurityPolicyString combines multiple CSP maps into a single +// GetContentSecurityPolicyString combines multiple CSP maps into a single // CSP string, alphabetically sorted by the directive key. // When multiple of the input cspMaps have the same key, their // respective lists are concatenated. -func getContentSecurityPolicyString(cspMaps ...cspMap) string { +func GetContentSecurityPolicyString(cspMaps ...cspMap) string { combined := combineCSPMaps(cspMaps...) keys := make([]string, 0, len(combined)) @@ -209,7 +209,7 @@ func getIndexContentSecurityPolicyString(cfg proto.Features, urlPath string) str // Nothing found in cache, calculate regex and result withWasm := desktopSessionRe.MatchString(urlPath) || recordingRe.MatchString(urlPath) - cspString := getContentSecurityPolicyString( + cspString := GetContentSecurityPolicyString( getIndexContentSecurityPolicy(withStripe, withWasm), ) // Add result to cache @@ -260,7 +260,7 @@ func getRedirectPageContentSecurityPolicyString(scriptSrc string) string { return cspString } - cspString := getContentSecurityPolicyString( + cspString := GetContentSecurityPolicyString( defaultContentSecurityPolicy, cspMap{ "script-src": {"'" + scriptSrc + "'"}, From f825b8678b2833f4b07d2f03d37530ea67c60acd Mon Sep 17 00:00:00 2001 From: flyinghermit Date: Wed, 24 Jul 2024 12:22:53 -0400 Subject: [PATCH 2/3] export CSPMap type --- lib/httplib/httpheaders.go | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go index 93254de7b9c10..a383845e44d2b 100644 --- a/lib/httplib/httpheaders.go +++ b/lib/httplib/httpheaders.go @@ -62,9 +62,10 @@ func newCSPCache() *cspCache { } } -type cspMap map[string][]string +// CSPMap holds a map of Content Security Policy. +type CSPMap map[string][]string -var defaultContentSecurityPolicy = cspMap{ +var defaultContentSecurityPolicy = CSPMap{ "default-src": {"'self'"}, "script-src": {"'self'"}, // specify CSP directives not covered by `default-src` @@ -77,24 +78,24 @@ var defaultContentSecurityPolicy = cspMap{ "style-src": {"'self'", "'unsafe-inline'"}, } -var defaultFontSrc = cspMap{"font-src": {"'self'", "data:"}} -var defaultConnectSrc = cspMap{"connect-src": {"'self'", "wss:"}} +var defaultFontSrc = CSPMap{"font-src": {"'self'", "data:"}} +var defaultConnectSrc = CSPMap{"connect-src": {"'self'", "wss:"}} -var stripeSecurityPolicy = cspMap{ +var stripeSecurityPolicy = CSPMap{ // auto-pay plans in Cloud use stripe.com to manage billing information "script-src": {"https://js.stripe.com"}, "frame-src": {"https://js.stripe.com"}, } -var wasmSecurityPolicy = cspMap{ +var wasmSecurityPolicy = CSPMap{ "script-src": {"'self'", "'wasm-unsafe-eval'"}, } // combineCSPMaps combines multiple CSP maps into a single map. -// When multiple of the input cspMaps have the same key, their +// When multiple of the input CSPMap have the same key, their // respective lists are concatenated. -func combineCSPMaps(cspMaps ...cspMap) cspMap { - combinedMap := make(cspMap) +func combineCSPMaps(cspMaps ...CSPMap) CSPMap { + combinedMap := make(CSPMap) for _, cspMap := range cspMaps { for key, value := range cspMap { @@ -110,7 +111,7 @@ func combineCSPMaps(cspMaps ...cspMap) cspMap { // CSP string, alphabetically sorted by the directive key. // When multiple of the input cspMaps have the same key, their // respective lists are concatenated. -func GetContentSecurityPolicyString(cspMaps ...cspMap) string { +func GetContentSecurityPolicyString(cspMaps ...CSPMap) string { combined := combineCSPMaps(cspMaps...) keys := make([]string, 0, len(combined)) @@ -175,8 +176,8 @@ func SetDefaultSecurityHeaders(h http.Header) { h.Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains") } -func getIndexContentSecurityPolicy(withStripe, withWasm bool) cspMap { - cspMaps := []cspMap{defaultContentSecurityPolicy, defaultFontSrc, defaultConnectSrc} +func getIndexContentSecurityPolicy(withStripe, withWasm bool) CSPMap { + cspMaps := []CSPMap{defaultContentSecurityPolicy, defaultFontSrc, defaultConnectSrc} if withStripe { cspMaps = append(cspMaps, stripeSecurityPolicy) @@ -262,7 +263,7 @@ func getRedirectPageContentSecurityPolicyString(scriptSrc string) string { cspString := GetContentSecurityPolicyString( defaultContentSecurityPolicy, - cspMap{ + CSPMap{ "script-src": {"'" + scriptSrc + "'"}, }, ) From 78e42712ae1f55d0d3922b571871ab33ef359919 Mon Sep 17 00:00:00 2001 From: flyinghermit Date: Wed, 7 Aug 2024 11:34:45 -0400 Subject: [PATCH 3/3] capitalize values missed by bot --- lib/httplib/httpheaders.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/httplib/httpheaders.go b/lib/httplib/httpheaders.go index a383845e44d2b..eacfcdf03d0f1 100644 --- a/lib/httplib/httpheaders.go +++ b/lib/httplib/httpheaders.go @@ -234,10 +234,10 @@ func getAppLaunchContentSecurityPolicyString(applicationURL string) string { return cspString } - cspString := getContentSecurityPolicyString( + cspString := GetContentSecurityPolicyString( defaultContentSecurityPolicy, defaultFontSrc, - cspMap{ + CSPMap{ "connect-src": {"'self'", applicationURL}, }, )