CSP-Flag

internal/config/config.go

@@ -13,6 +13,7 @@ type Config struct {
 	SessionTTL      time.Duration
 	MaxUploadSize   int64
 	CookieSecure    bool
+	AppCSPEnabled   bool
 	LogLevel        string
 	GitAllowedHosts []string
 }
@@ -23,6 +24,7 @@ func Load() Config {
 		SessionTTL:    durationEnvOrDefault("SESSION_TTL", 30*time.Minute),
 		MaxUploadSize: int64(intEnvOrDefault("MAX_UPLOAD_SIZE", 5*1024*1024)),
 		CookieSecure:  boolEnvOrDefault("COOKIE_SECURE", true),
+		AppCSPEnabled: boolEnvOrDefault("APP_CSP_ENABLED", true),
 		LogLevel:      envOrDefault("LOG_LEVEL", "info"),
 		GitAllowedHosts: csvEnvOrDefault("GIT_ALLOWED_HOSTS", []string{
 			"github.com",

internal/httpserver/server.go

@@ -74,7 +74,9 @@ func (s *Server) middleware(next http.Handler) http.Handler {
 
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("Referrer-Policy", "same-origin")
-		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self';")
+		if s.cfg.AppCSPEnabled {
+			w.Header().Set("Content-Security-Policy", "default-src 'self'; base-uri 'self'; object-src 'none'; frame-ancestors 'self'; script-src 'self'; script-src-elem 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; worker-src 'self' blob:;")
+		}
 		if r.TLS != nil || strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https") {
 			w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
 		}