Skip to content

Commit 2971909

Browse files
committed
fix: Support adding websocket endpoints to connect-src CSP automatically
Fixes #5
1 parent e99e79c commit 2971909

File tree

3 files changed

+5
-2
lines changed

3 files changed

+5
-2
lines changed

config/templates/content_security_policy.tmpl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
{{ if and .hardening.whitelist_spa_config_endpoints_as_connect_sources (not (index .hardening.content_security_policy "connect-src")) (ne (len .spa_config.endpoints) 0) -}}
1212
connect-src
1313
{{- range $key, $value := .spa_config.endpoints -}}
14-
{{- if $value | regexp.Match "^http(s)?:\\/\\/" -}}
14+
{{- if $value | regexp.Match "^(http(s)?|ws(s)?):\\/\\/" -}}
1515
{{- $url := $value | conv.URL -}}
1616
{{ " " }}{{ $url.Scheme }}://{{ $url.Host }}
1717
{{- end -}}

tests/src/test/java/de/codecentric/spa/server/tests/ContentSecurityPolicyTests.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ public void shouldAddConnectSrcCspForConfiguredEndpointsByDefault() throws IOExc
3434
assertThat(response.statusCode()).isEqualTo(200);
3535

3636
assertThat(response.headers().firstValue("Content-Security-Policy")).hasValue(
37-
"base-uri 'self'; block-all-mixed-content; default-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; connect-src https://example.com:1234 http://example.com https://example.com 'self'");
37+
"base-uri 'self'; block-all-mixed-content; default-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; object-src 'none'; script-src 'self'; style-src 'self'; connect-src https://example.com:1234 http://example.com https://example.com ws://example.com wss://example.com 'self'");
3838
}
3939
}
4040

tests/src/test/resources/content_security_policy/config_with_endpoints.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,7 @@ default:
44
localApi: "/api"
55
httpsApi: "https://example.com/api"
66
httpApi: "http://example.com/api"
7+
wssApi: "wss://example.com/api"
8+
wsApi: "ws://example.com/api"
9+
unknownSchemaApi: "unknown://example.com/api"
710
apiWithPort: "https://example.com:1234/api"

0 commit comments

Comments
 (0)