self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-21 17:53:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make CSP more strict (#7390)

Browse source 
closes https://gravitational.zendesk.com/agent/tickets/3062
This commit is contained in:
Alexey Kontsevoy 2021-06-24 02:17:46 -04:00 committed by GitHub
parent 6c34385e35
commit 79f7d4b1e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
lib/httplib/httpheaders.go
View file

@ -63,13 +63,18 @@ func SetIndexHTMLHeaders(h http.Header) {
// Set content policy flags
var cspValue = strings.Join([]string{
// enterprise version uses stripe.com to update billing information
"default-src 'self'",
// cloud version uses stripe.com to update billing information
"script-src 'self' https://js.stripe.com",
// 'unsafe-inline' needed for reactjs inline styles
"frame-src https://js.stripe.com",
"frame-ancestors 'none'",
// 'unsafe-inline' is required by CSS-in-JS to work
"style-src 'self' 'unsafe-inline'",
"object-src 'none'",
"img-src 'self' data: blob:",
"font-src 'self' data:",
"base-uri 'self'",
"form-action 'self'",
}, ";")
h.Set("Content-Security-Policy", cspValue)