Skip to content

Commit 57b38e5

Browse files
kylecarbskylecarbs
authored
fix: allow coder.com in CSP if telemetry is enabled (#13615)
* fix: allow coder.com in CSP if telemetry is enabled * Fix control couple lint
1 parent 0793a4b commit 57b38e5

File tree

3 files changed

+10
-3
lines changed

3 files changed

+10
-3
lines changed

coderd/coderd.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1210,7 +1210,7 @@ func New(options *Options) *API {
12101210

12111211
// Add CSP headers to all static assets and pages. CSP headers only affect
12121212
// browsers, so these don't make sense on api routes.
1213-
cspMW := httpmw.CSPHeaders(func() []string {
1213+
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
12141214
if api.DeploymentValues.Dangerous.AllowAllCors {
12151215
// In this mode, allow all external requests
12161216
return []string{"*"}

coderd/httpmw/csp.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,9 @@ const (
4343
// CSPHeaders returns a middleware that sets the Content-Security-Policy header
4444
// for coderd. It takes a function that allows adding supported external websocket
4545
// hosts. This is primarily to support the terminal connecting to a workspace proxy.
46-
func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler {
46+
//
47+
//nolint:revive
48+
func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler {
4749
return func(next http.Handler) http.Handler {
4850
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
4951
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
@@ -83,6 +85,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han
8385
// "require-trusted-types-for" : []string{"'script'"},
8486
}
8587

88+
if telemetry {
89+
// If telemetry is enabled, we report to coder.com.
90+
cspSrcs.Append(cspDirectiveConnectSrc, "https://coder.com")
91+
}
92+
8693
// This extra connect-src addition is required to support old webkit
8794
// based browsers (Safari).
8895
// See issue: https://github.com/w3c/webappsec-csp/issues/7

coderd/httpmw/csp_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ func TestCSPConnect(t *testing.T) {
1919
r := httptest.NewRequest(http.MethodGet, "/", nil)
2020
rw := httptest.NewRecorder()
2121

22-
httpmw.CSPHeaders(func() []string {
22+
httpmw.CSPHeaders(false, func() []string {
2323
return expected
2424
})(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
2525
rw.WriteHeader(http.StatusOK)

0 commit comments

Comments
 (0)