fix: set csp header only for resource (#836)

99d9cc91 · boojack · GitHub · 119603da · 99d9cc91 · 99d9cc91
Unverified Commit 99d9cc91 authored Dec 23, 2022 by boojack Committed by GitHub Dec 23, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 4 deletions

resource.go server/resource.go +1 -0

server.go server/server.go +0 -4

No files found.
--- a/server/resource.go
+++ b/server/resource.go
@@ -265,6 +265,7 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
 		c.Response().Writer.Header().Set("Content-Type", resource.Type)
 		c.Response().Writer.WriteHeader(http.StatusOK)
 		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+		c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
 		if _, err := c.Response().Writer.Write(resource.Blob); err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write response").SetInternal(err)
 		}

--- a/server/server.go
+++ b/server/server.go
@@ -44,10 +44,6 @@ func NewServer(profile *profile.Profile) *Server {
 		Timeout:      30 * time.Second,
 	}))

-	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
-		ContentSecurityPolicy: "default-src 'self'",
-	}))
-
 	embedFrontend(e)

 	// In dev mode, set the const secret key to make signin session persistence.