Feature Request: Support for Content-Security-Policy headers #6418
Description
A security policy requires us to enable Content-Security-Policy (CSP) headers on all services.
Since karma doesn't set these headers, we add them with middleware configured in our reverse proxy.
The vite legacy plugin used by the karma ui makes it very hard to write a stable policy because it relies on inline scripts.
Allowing all inline scripts would defeat the purpose of the CSP, and is not allowed by our internal policy.
The workaround would be to include the checksums in the CSP. The vite legacy plugin exposes the checksums required for this.
I have an implementation that (1) stores the checksums during the building of the frontend via a very small vite plugin, (2) embeds those checksums in the go codebase, similar to how the ui assets are embedded into the go codebase, and finally (3) adds the CSP header to all requests for the index.
The resulting header is
Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-MS6/3FCg4WjP9gwgaBGwLpRCY6fZBgwmhVCdrPrNf3E=' 'sha256-tQjf8gvb2ROOMapIxFvFAYBeUJ0v1HCbOcSmDNXGtDo=' 'sha256-VA8O2hAdooB288EpSTrGLl7z3QikbWU9wwoebO/QaYk=' 'sha256-+5XkZFazzJo8n0iOP4ti/cLCMUudTf//Mzkb7xNPXIc='; style-src 'self' 'unsafe-inline'; img-src 'self'; connect-src 'self'; font-src 'self'; object-src 'none'; media-src 'none'; frame-src 'none'; manifest-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests;
These correspond to the current hashes as documented by the vite legacy plugin, but the header should automatically be updated when changes in the vite plugin would require it.
If this feature is something that could be merged into the project, I would be happy to polish up my implementation a bit and open a PR. If there would be certain requirements for it's inclusion (e.g. making it optional or something else), it would be nice and more efficient to know such requirements upfront.