Skip to content

Commit 03bdd0b

Browse files
leonklingeleleonklingele
committed
chore(api,docs): use strict CSPs for docs Web UI
1 parent 9ed1e25 commit 03bdd0b

File tree

2 files changed

+44
-0
lines changed

2 files changed

+44
-0
lines changed

api.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,17 @@ func NewAPI(config Config, a Adapter) API {
477477
openAPIPath = path.Join(prefix, openAPIPath)
478478
}
479479
ctx.SetHeader("Content-Type", "text/html")
480+
// Very strict CSP so we never expose any data to the outside world
481+
ctx.SetHeader("Content-Security-Policy",
482+
"default-src 'none';"+
483+
" base-uri 'none';"+
484+
" connect-src 'self';"+
485+
" form-action 'none';"+
486+
" frame-ancestors 'none';"+
487+
" sandbox allow-same-origin allow-scripts;"+
488+
" script-src https://unpkg.com/;"+
489+
" style-src 'unsafe-inline' https://unpkg.com/;"+
490+
" trusted-types 'none'")
480491
title := "Elements in HTML"
481492
if config.Info != nil && config.Info.Title != "" {
482493
title = config.Info.Title + " Reference"

docs/docs/features/api-docs.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,17 @@ api := humachi.New(router, config)
3131

3232
router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
3333
w.Header().Set("Content-Type", "text/html")
34+
// Very strict CSP so we never expose any data to the outside world
35+
w.Header().Set("Content-Security-Policy",
36+
"default-src 'none';"+
37+
" base-uri 'none';"+
38+
" connect-src 'self';"+
39+
" form-action 'none';"+
40+
" frame-ancestors 'none';"+
41+
" sandbox allow-same-origin allow-scripts;"+
42+
" script-src https://unpkg.com/;"+
43+
" style-src 'unsafe-inline' https://unpkg.com/;"+
44+
" trusted-types 'none'")
3445
w.Write([]byte(`<!doctype html>
3546
<html lang="en">
3647
<head>
@@ -67,6 +78,17 @@ api := humachi.New(router, config)
6778

6879
router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
6980
w.Header().Set("Content-Type", "text/html")
81+
// Very strict CSP so we never expose any data to the outside world
82+
w.Header().Set("Content-Security-Policy",
83+
"default-src 'none';"+
84+
" base-uri 'none';"+
85+
" connect-src 'self';"+
86+
" form-action 'none';"+
87+
" frame-ancestors 'none';"+
88+
" sandbox allow-same-origin allow-scripts;"+
89+
" script-src 'unsafe-eval' https://unpkg.com/;"+ // TODO: Somehow drop 'unsafe-eval'
90+
" style-src 'unsafe-inline' https://unpkg.com/;"+ // TODO: Somehow drop 'unsafe-inline'
91+
" trusted-types 'none'")
7092
w.Write([]byte(`<!doctype html>
7193
<html>
7294
<head>
@@ -101,6 +123,17 @@ api := humachi.New(router, config)
101123

102124
router.Get("/docs", func(w http.ResponseWriter, r *http.Request) {
103125
w.Header().Set("Content-Type", "text/html")
126+
// Very strict CSP so we never expose any data to the outside world
127+
w.Header().Set("Content-Security-Policy",
128+
"default-src 'none';"+
129+
" base-uri 'none';"+
130+
" connect-src 'self';"+
131+
" form-action 'none';"+
132+
" frame-ancestors 'none';"+
133+
" sandbox allow-same-origin allow-scripts;"+
134+
" script-src https://unpkg.com/ 'sha256-SWB2p1nUb0MJzt5MoVlrz+PWYxv53T2z7GdKFxZm9i4=';"+
135+
" style-src https://unpkg.com/;"+
136+
" trusted-types 'none'")
104137
w.Write([]byte(`<!DOCTYPE html>
105138
<html lang="en">
106139
<head>

0 commit comments

Comments
 (0)