kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-06 18:35:44 +03:00
Code Issues Packages Projects Releases Wiki Activity

config: add configurable content security policy (#18085)

Browse Source
This commit is contained in:
Esteban Barrios
2023-08-14 20:23:03 +02:00
committed by GitHub
parent 3c7a44daea
commit 65d562b760
5 changed files with 140 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
command/agent/http.go
View File

@@ -37,6 +37,7 @@ import (
"github.com/hashicorp/nomad/helper/tlsutil"
"github.com/hashicorp/nomad/nomad"
"github.com/hashicorp/nomad/nomad/structs"
"github.com/hashicorp/nomad/nomad/structs/config"
)
const (
@@ -508,7 +509,7 @@ func (s *HTTPServer) registerHandlers(enableDebug bool) {
uiConfigEnabled := agentConfig.UI != nil && agentConfig.UI.Enabled
if uiEnabled && uiConfigEnabled {
s.mux.Handle("/ui/", http.StripPrefix("/ui/", s.handleUI(http.FileServer(&UIAssetWrapper{FileSystem: assetFS()}))))
s.mux.Handle("/ui/", http.StripPrefix("/ui/", s.handleUI(agentConfig.UI.ContentSecurityPolicy, http.FileServer(&UIAssetWrapper{FileSystem: assetFS()}))))
s.logger.Debug("UI is enabled")
} else {
// Write the stubHTML
@@ -649,10 +650,10 @@ func (e *codedError) Code() int {
return e.code
}
func (s *HTTPServer) handleUI(h http.Handler) http.Handler {
func (s *HTTPServer) handleUI(policy *config.ContentSecurityPolicy, h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
header := w.Header()
header.Add("Content-Security-Policy", "default-src 'none'; connect-src *; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'none'; frame-ancestors 'none'")
header.Add("Content-Security-Policy", policy.String())
h.ServeHTTP(w, req)
})
}