From 3f090ea2ab232a16921498cdc3c6a4bf54f0781c Mon Sep 17 00:00:00 2001 From: zealousidealroll <42880787+zealousidealroll@users.noreply.github.com> Date: Mon, 10 Sep 2018 12:14:47 -0700 Subject: [PATCH 1/3] Add content-security-policy --- src/web/mod.rs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/web/mod.rs b/src/web/mod.rs index 14b557778..f1301bbec 100644 --- a/src/web/mod.rs +++ b/src/web/mod.rs @@ -68,6 +68,20 @@ const STYLE_CSS: &'static str = include_str!(concat!(env!("OUT_DIR"), "/style.cs const OPENSEARCH_XML: &'static [u8] = include_bytes!("opensearch.xml"); +struct ContentSecurityPolicy; +impl AfterMiddleware for ContentSecurityPolicy { + fn after(&self, _req: &mut Request, mut resp: Response) -> IronResult { + if resp.headers.get(iron::headers::CONTENT_SECURITY_POLICY) == None { + resp.headers.insert( + iron::headers::CONTENT_SECURITY_POLICY, + "default-src 'self'; worker-src 'none'; font-src 'self' cdnjs.cloudflare.com; script-src 'self' cdnjs.cloudflare.com;".as_ref().parse().unwrap(), + ); + } + Ok(resp) + } +} + + struct CratesfyiHandler { shared_resource_handler: Box, router_handler: Box, @@ -90,6 +104,7 @@ impl CratesfyiHandler { let mut chain = Chain::new(base); chain.link_before(pool::Pool::new()); chain.link_after(hbse); + chain.link_after(ContentSecurityPolicy); chain } From bd48fc805bc48e007583fce0f030335479284d1b Mon Sep 17 00:00:00 2001 From: zealousidealroll <42880787+zealousidealroll@users.noreply.github.com> Date: Wed, 28 Nov 2018 14:07:06 -0700 Subject: [PATCH 2/3] Add style-src --- src/web/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/web/mod.rs b/src/web/mod.rs index f1301bbec..032751d93 100644 --- a/src/web/mod.rs +++ b/src/web/mod.rs @@ -74,7 +74,7 @@ impl AfterMiddleware for ContentSecurityPolicy { if resp.headers.get(iron::headers::CONTENT_SECURITY_POLICY) == None { resp.headers.insert( iron::headers::CONTENT_SECURITY_POLICY, - "default-src 'self'; worker-src 'none'; font-src 'self' cdnjs.cloudflare.com; script-src 'self' cdnjs.cloudflare.com;".as_ref().parse().unwrap(), + "default-src 'self'; worker-src 'none'; font-src 'self' cdnjs.cloudflare.com; script-src 'self' cdnjs.cloudflare.com; style-src 'self' cdnjs.cloudflare.com;".as_ref().parse().unwrap(), ); } Ok(resp) From a603bd7b0708f82595d4182eafe231057928951b Mon Sep 17 00:00:00 2001 From: zealousidealroll <42880787+zealousidealroll@users.noreply.github.com> Date: Fri, 3 May 2019 23:00:28 -0700 Subject: [PATCH 3/3] Add whitelist for img-src --- src/web/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/web/mod.rs b/src/web/mod.rs index 032751d93..1a9120050 100644 --- a/src/web/mod.rs +++ b/src/web/mod.rs @@ -74,7 +74,7 @@ impl AfterMiddleware for ContentSecurityPolicy { if resp.headers.get(iron::headers::CONTENT_SECURITY_POLICY) == None { resp.headers.insert( iron::headers::CONTENT_SECURITY_POLICY, - "default-src 'self'; worker-src 'none'; font-src 'self' cdnjs.cloudflare.com; script-src 'self' cdnjs.cloudflare.com; style-src 'self' cdnjs.cloudflare.com;".as_ref().parse().unwrap(), + "default-src 'self'; worker-src 'none'; font-src 'self' cdnjs.cloudflare.com; script-src 'self' cdnjs.cloudflare.com; style-src 'self' cdnjs.cloudflare.com; img-src *;".as_ref().parse().unwrap(), ); } Ok(resp)