better default csp

lovasoa · lovasoa · commit 7eb6067b9436 · 2024-08-03T19:59:39.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,7 +6,7 @@
 - add `text` and `post_html` properties to the [html](https://sql.ophir.dev/documentation.sql?component=html#component) component. This allows to include sanitized user-generated content in the middle of custom HTML.
  - allow loading javascript ESM modules in the shell component
  - allow customizing the [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) in the configuration.
- - the new default content-security-policy is more secure and easier to use. You can now include inline javascript in your custom components with `<script nonce="{{@csp_nonce}}">...</script>`.
+ - the new default *content security policy* is both more secure and easier to use. You can now include inline javascript in your custom components with `<script nonce="{{@csp_nonce}}">...</script>`.
  - update to [sqlparser v0.49.0](https://github.com/sqlparser-rs/sqlparser-rs/blob/main/CHANGELOG.md#0490-2024-07-23)
    - support [`WITH ORDINALITY`](https://www.postgresql.org/docs/current/queries-table-expressions.html#QUERIES-TABLEFUNCTIONS) in postgres `FROM` clauses
  - update to [handlebars-rs v6](https://github.com/sunng87/handlebars-rust/blob/master/CHANGELOG.md#600---2024-07-20)
diff --git a/src/webserver/http.rs b/src/webserver/http.rs
@@ -534,21 +534,7 @@ pub fn create_app(
         // when receiving a request outside of the prefix, redirect to the prefix
         .default_service(fn_service(default_prefix_redirect))
         .wrap(Logger::default())
-        .wrap(
-            middleware::DefaultHeaders::new()
-                .add((
-                    "Server",
-                    format!("{} v{}", env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION")),
-                ))
-                .add((
-                    "Content-Security-Policy",
-                    app_state
-                        .config
-                        .content_security_policy
-                        .as_deref()
-                        .unwrap_or("script-src 'self' https://cdn.jsdelivr.net"),
-                )),
-        )
+        .wrap(default_headers(&app_state))
         .wrap(middleware::Condition::new(
             app_state.config.compress_responses,
             middleware::Compress::default(),
@@ -560,6 +546,15 @@ pub fn create_app(
         .app_data(app_state)
 }
 
+fn default_headers(app_state: &web::Data<AppState>) -> middleware::DefaultHeaders {
+    let server_header = format!("{} v{}", env!("CARGO_PKG_NAME"), env!("CARGO_PKG_VERSION"));
+    let mut headers = middleware::DefaultHeaders::new().add(("Server", server_header));
+    if let Some(csp) = &app_state.config.content_security_policy {
+        headers = headers.add(("Content-Security-Policy", csp.as_str()));
+    }
+    headers
+}
+
 pub async fn run_server(config: &AppConfig, state: AppState) -> anyhow::Result<()> {
     let listen_on = config.listen_on();
     let state = web::Data::new(state);
