fix issue 1340: add CSP headers (#1354)

ugent-library · Jan 19, 2024 · fab3ceb · fab3ceb
1 parent e196d8d
commit fab3ceb
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 3 deletions.
diff --git a/ctx/ctx.go b/ctx/ctx.go
@@ -22,6 +22,7 @@ import (
 	"github.com/ugent-library/httperror"
 	"github.com/ugent-library/mix"
 	"github.com/ugent-library/zaphttp"
+	"github.com/unrolled/secure"
 	"go.uber.org/zap"
 )
 
@@ -56,6 +57,7 @@ func Set(config Config) func(http.Handler) http.Handler {
 				Log:       zaphttp.Logger(r.Context()).Sugar(),
 				Loc:       config.Loc,
 				CSRFToken: csrf.Token(r),
+				CSPNonce:  secure.CSPNonce(r.Context()),
 			}
 			if c.scheme == "" {
 				c.scheme = "http"
@@ -124,6 +126,7 @@ type Ctx struct {
 	OriginalUser *models.Person
 	Flash        []flash.Flash
 	CSRFToken    string
+	CSPNonce     string
 	Nav          string
 }
 

diff --git a/go.mod b/go.mod
@@ -98,6 +98,7 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
 	github.com/ugent-library/crypt v0.0.0-20230630063634-8c02106fd40e // indirect
+	github.com/unrolled/secure v1.14.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
 	github.com/xdg-go/scram v1.1.2 // indirect
 	github.com/xdg-go/stringprep v1.0.4 // indirect

diff --git a/go.sum b/go.sum
@@ -558,6 +558,8 @@ github.com/ugent-library/orcid v0.0.0-20230615125240-eb68c23bc33c h1:NRpS8TkbFjD
 github.com/ugent-library/orcid v0.0.0-20230615125240-eb68c23bc33c/go.mod h1:g5C6oHMPfeceP48vaQLY24pFWtfKKi6mFni+tWbpgvU=
 github.com/ugent-library/zaphttp v0.0.0-20230513174723-52c27d21c5ce h1:+TNoKsfMTTveEe1RQRaJ7TZnHVh1k98Nk+4gTg2mENA=
 github.com/ugent-library/zaphttp v0.0.0-20230513174723-52c27d21c5ce/go.mod h1:CzM8mO+4QRZi4Sx0rPTt9csR6b2IgbIyoveLwFz+bQM=
+github.com/unrolled/secure v1.14.0 h1:u9vJTU/pR4Bny0ntLUMxdfLtmIRGvQf2sEFuA0TG9AE=
+github.com/unrolled/secure v1.14.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=

diff --git a/handlers/base.go b/handlers/base.go
@@ -19,6 +19,7 @@ import (
 	"github.com/ugent-library/biblio-backoffice/models"
 	"github.com/ugent-library/biblio-backoffice/render"
 	"github.com/ugent-library/biblio-backoffice/render/flash"
+	"github.com/unrolled/secure"
 	"go.uber.org/zap"
 )
 
@@ -47,6 +48,7 @@ type BaseContext struct {
 	OriginalUser    *models.Person
 	CSRFToken       string
 	CSRFTag         template.HTML
+	CSPNonce        string
 	FrontendBaseUrl string
 }
 
@@ -117,6 +119,7 @@ func (h BaseHandler) NewContext(r *http.Request, w http.ResponseWriter) (BaseCon
 		OriginalUser:    originalUser,
 		CSRFToken:       csrf.Token(r),
 		CSRFTag:         csrf.TemplateField(r),
+		CSPNonce:        secure.CSPNonce(r.Context()),
 		FrontendBaseUrl: h.FrontendBaseUrl,
 	}, nil
 }

diff --git a/routes/register.go b/routes/register.go
@@ -37,6 +37,8 @@ import (
 	"github.com/ugent-library/oidc"
 	"github.com/ugent-library/zaphttp"
 	"github.com/ugent-library/zaphttp/zapchi"
+	"github.com/unrolled/secure"
+	"github.com/unrolled/secure/cspbuilder"
 	"go.uber.org/zap"
 )
 
@@ -221,6 +223,18 @@ func Register(c Config) {
 			csrf.SameSite(csrf.SameSiteStrictMode),
 			csrf.FieldName("csrf-token"),
 		))
+		r.Use(secure.New(secure.Options{
+			IsDevelopment: c.Env == "local",
+			ContentSecurityPolicy: (&cspbuilder.Builder{
+				Directives: map[string][]string{
+					cspbuilder.DefaultSrc: {"'self'"},
+					cspbuilder.ScriptSrc:  {"'self'", "$NONCE"},
+					// TODO: htmx injects style
+					cspbuilder.StyleSrc: {"'self'", "'unsafe-inline'"},
+					cspbuilder.ImgSrc:   {"'self'", "data:"},
+				},
+			}).MustBuild(),
+		}).Handler)
 
 		// BEGIN NEW STYLE HANDLERS
 		r.Group(func(r *ich.Mux) {

diff --git a/views/layouts/default.layout.gohtml b/views/layouts/default.layout.gohtml
@@ -224,7 +224,7 @@
         {{end}}
     </div>
 
-    <script type="application/javascript" src="{{assetPath "/js/app.js"}}"></script>
+    <script nonce="{{.CSPNonce}}" type="application/javascript" src="{{assetPath "/js/app.js"}}"></script>
 </body>
 
 </html>
diff --git a/views/page_layout.templ b/views/page_layout.templ
@@ -233,7 +233,7 @@ templ pageLayout(c *ctx.Ctx, title string, meta templ.Component) {
             }
         </div>
 
-        <script type="application/javascript" src={ c.AssetPath("/js/app.js") }></script>
+        <script nonce={ c.CSPNonce } type="application/javascript" src={ c.AssetPath("/js/app.js") }></script>
     </body>
 
     </html>

diff --git a/views/page_layout_templ.go b/views/page_layout_templ.go
-Original file line number
+Diff line change
@@ Expand Up / @@ -224,7 +224,7 @@ @@
             {{end}}
         </div>
-        <script type="application/javascript" src="{{assetPath "/js/app.js"}}"></script>
+        <script nonce="{{.CSPNonce}}" type="application/javascript" src="{{assetPath "/js/app.js"}}"></script>
     </body>
     </html>