Skip to content

Commit 648c707

Browse files
EmyrkEmyrk
committed
chore: toggle with experiment
1 parent edb2314 commit 648c707

File tree

2 files changed

+24
-13
lines changed

2 files changed

+24
-13
lines changed

coderd/coderd.go

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1532,17 +1532,19 @@ func New(options *Options) *API {
15321532

15331533
// Add CSP headers to all static assets and pages. CSP headers only affect
15341534
// browsers, so these don't make sense on api routes.
1535-
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
1536-
if api.DeploymentValues.Dangerous.AllowAllCors {
1537-
// In this mode, allow all external requests
1538-
return []string{"*"}
1539-
}
1540-
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
1541-
return (*f)()
1542-
}
1543-
// By default we do not add extra websocket connections to the CSP
1544-
return []string{}
1545-
}, additionalCSPHeaders)
1535+
cspMW := httpmw.CSPHeaders(
1536+
api.Experiments,
1537+
options.Telemetry.Enabled(), func() []string {
1538+
if api.DeploymentValues.Dangerous.AllowAllCors {
1539+
// In this mode, allow all external requests
1540+
return []string{"*"}
1541+
}
1542+
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
1543+
return (*f)()
1544+
}
1545+
// By default we do not add extra websocket connections to the CSP
1546+
return []string{}
1547+
}, additionalCSPHeaders)
15461548

15471549
// Static file handler must be wrapped with HSTS handler if the
15481550
// StrictTransportSecurityAge is set. We only need to set this header on

coderd/httpmw/csp.go

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ import (
44
"fmt"
55
"net/http"
66
"strings"
7+
8+
"github.com/coder/coder/v2/codersdk"
79
)
810

911
// cspDirectives is a map of all csp fetch directives to their values.
@@ -55,7 +57,7 @@ const (
5557
// Example: https://github.com/coder/coder/issues/15118
5658
//
5759
//nolint:revive
58-
func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions map[CSPFetchDirective][]string) func(next http.Handler) http.Handler {
60+
func CSPHeaders(experiments codersdk.Experiments, telemetry bool, websocketHosts func() []string, staticAdditions map[CSPFetchDirective][]string) func(next http.Handler) http.Handler {
5961
return func(next http.Handler) http.Handler {
6062
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
6163
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
@@ -88,13 +90,20 @@ func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions
8890
CSPDirectiveMediaSrc: {"'self'"},
8991
// Report all violations back to the server to log
9092
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
91-
CSPFrameAncestors: {"'self'"},
9293

9394
// Only scripts can manipulate the dom. This prevents someone from
9495
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
9596
// "require-trusted-types-for" : []string{"'script'"},
9697
}
9798

99+
if experiments.Enabled(codersdk.ExperimentAITasks) {
100+
// AI tasks use iframe embeds of local apps.
101+
// TODO: Handle region domains too, not just path based apps
102+
cspSrcs.Append(CSPFrameAncestors, `'self'`)
103+
} else {
104+
cspSrcs.Append(CSPFrameAncestors, `'none'`)
105+
}
106+
98107
if telemetry {
99108
// If telemetry is enabled, we report to coder.com.
100109
cspSrcs.Append(CSPDirectiveConnectSrc, "https://coder.com")

0 commit comments

Comments
 (0)