2021-08-30 19:43:28 -07:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
2021-09-18 10:06:47 -07:00
|
|
|
"fmt"
|
2021-08-30 19:43:28 -07:00
|
|
|
"net/http"
|
2021-09-18 10:06:47 -07:00
|
|
|
"os"
|
2021-08-30 19:43:28 -07:00
|
|
|
"strings"
|
|
|
|
)
|
|
|
|
|
|
|
|
// SetHeaders will set our global headers for web resources.
|
|
|
|
func SetHeaders(w http.ResponseWriter) {
|
2021-09-18 10:06:47 -07:00
|
|
|
// When running automated browser tests we must allow `unsafe-eval` in our CSP
|
|
|
|
// so we can explicitly add it only when needed.
|
|
|
|
inTest := os.Getenv("BROWSER_TEST") == "true"
|
|
|
|
unsafeEval := ""
|
|
|
|
if inTest {
|
|
|
|
unsafeEval = `'unsafe-eval'`
|
|
|
|
}
|
2021-08-30 19:43:28 -07:00
|
|
|
// Content security policy
|
|
|
|
csp := []string{
|
2022-04-21 14:55:26 -07:00
|
|
|
fmt.Sprintf("script-src 'self' %s 'sha256-B5bOgtE39ax4J6RqDE93TVYrJeLAdxDOJFtF3hoWYDw=' 'sha256-PzXGlTLvNFZ7et6GkP2nD3XuSaAKQVBSYiHzU2ZKm8o=' 'sha256-/wqazZOqIpFSIrNVseblbKCXrezG73X7CMqRSTf+8zw=' 'sha256-jCj2f+ICtd8fvdb0ngc+Hkr/ZnZOMvNkikno/XR6VZs='", unsafeEval),
|
2021-08-30 19:43:28 -07:00
|
|
|
"worker-src 'self' blob:", // No single quotes around blob:
|
|
|
|
}
|
|
|
|
w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
|
|
|
|
}
|