From febabf4b56173b05e5c35f1af28ca2f6e3d1d3a9 Mon Sep 17 00:00:00 2001 From: James Hodgkinson Date: Wed, 22 Jun 2022 09:54:48 +1000 Subject: [PATCH] tweaks to CSP headers, adding more docs --- kanidmd/score/src/https/mod.rs | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/kanidmd/score/src/https/mod.rs b/kanidmd/score/src/https/mod.rs index 21bea8de3..c79a82391 100644 --- a/kanidmd/score/src/https/mod.rs +++ b/kanidmd/score/src/https/mod.rs @@ -281,13 +281,28 @@ impl tide::Middleware let body_str = response.take_body().into_string().await?; // update it with the hash response.set_body(body_str.replace("==WASMHASH==", self.integrity_wasmloader.as_str())); - response.insert_header( + /* content-security-policy headers tell the browser what to trust + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + + In this case we're only trusting the same server that the page is being loaded from, and adding + a hash of wasmloader.js, which is the main script we should be loading, and should be really secure + about that! + + */ + + // TODO: consider scraping the other js files that wasm-pack builds and including them too "content-security-policy", - format!( - "default-src https: self; img-src https: self; script-src https: 'sha384-{}' 'unsafe-eval' self;", - self.integrity_wasmloader.as_str(), - ) + vec![ + "default-src 'self'", + // we need unsafe-eval because of WASM things + format!("script-src 'self' 'sha384-{}' 'unsafe-eval'", self.integrity_wasmloader.as_str() ).as_str(), + "img-src 'self'", + + "object-src 'self'", + // not currently using workers so it can be blocked + "worker-src 'none'", + ].join(";"), ); Ok(response)