@@ -169,37 +169,37 @@ func (t *htmlTemplates) renderWithState(path string, state htmlState) ([]byte, e
169169 return buf .Bytes (), nil
170170}
171171
172- // CSPDirectives is a map of all csp fetch directives to their values.
172+ // cspDirectives is a map of all csp fetch directives to their values.
173173// Each directive is a set of values that is joined by a space (' ').
174174// All directives are semi-colon separated as a single string for the csp header.
175- type CSPDirectives map [CSPFetchDirective ][]string
175+ type cspDirectives map [cspFetchDirective ][]string
176176
177- func (s CSPDirectives ) Append (d CSPFetchDirective , values ... string ) {
177+ func (s cspDirectives ) append (d cspFetchDirective , values ... string ) {
178178 if _ , ok := s [d ]; ! ok {
179179 s [d ] = make ([]string , 0 )
180180 }
181181 s [d ] = append (s [d ], values ... )
182182}
183183
184- // CSPFetchDirective is the list of all constant fetch directives that
184+ // cspFetchDirective is the list of all constant fetch directives that
185185// can be used/appended to.
186- type CSPFetchDirective string
186+ type cspFetchDirective string
187187
188188const (
189- CSPDirectiveDefaultSrc = "default-src"
190- CSPDirectiveConnectSrc = "connect-src"
191- CSPDirectiveChildSrc = "child-src"
192- CSPDirectiveScriptSrc = "script-src"
193- CSPDirectiveFontSrc = "font-src"
194- CSPDirectiveStyleSrc = "style-src"
195- CSPDirectiveObjectSrc = "object-src"
196- CSPDirectiveManifestSrc = "manifest-src"
197- CSPDirectiveFrameSrc = "frame-src"
198- CSPDirectiveImgSrc = "img-src"
199- CSPDirectiveReportURI = "report-uri"
200- CSPDirectiveFormAction = "form-action"
201- CSPDirectiveMediaSrc = "media-src"
202- CSPFrameAncestors = "frame-ancestors"
189+ cspDirectiveDefaultSrc = "default-src"
190+ cspDirectiveConnectSrc = "connect-src"
191+ cspDirectiveChildSrc = "child-src"
192+ cspDirectiveScriptSrc = "script-src"
193+ cspDirectiveFontSrc = "font-src"
194+ cspDirectiveStyleSrc = "style-src"
195+ cspDirectiveObjectSrc = "object-src"
196+ cspDirectiveManifestSrc = "manifest-src"
197+ cspDirectiveFrameSrc = "frame-src"
198+ cspDirectiveImgSrc = "img-src"
199+ cspDirectiveReportURI = "report-uri"
200+ cspDirectiveFormAction = "form-action"
201+ cspDirectiveMediaSrc = "media-src"
202+ cspFrameAncestors = "frame-ancestors"
203203)
204204
205205// secureHeaders is only needed for statically served files. We do not need this for api endpoints.
@@ -210,26 +210,26 @@ func secureHeaders(next http.Handler) http.Handler {
210210 // If we ever want to render something like a PDF, we need to adjust "object-src"
211211 //
212212 // The list of CSP options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
213- cspSrcs := CSPDirectives {
213+ cspSrcs := cspDirectives {
214214 // All omitted fetch csp srcs default to this.
215- CSPDirectiveDefaultSrc : {"'self'" },
216- CSPDirectiveConnectSrc : {"'self' ws: wss:" },
217- CSPDirectiveChildSrc : {"'self'" },
218- CSPDirectiveScriptSrc : {"'self'" },
219- CSPDirectiveFontSrc : {"'self'" },
220- CSPDirectiveStyleSrc : {"'self' 'unsafe-inline'" },
215+ cspDirectiveDefaultSrc : {"'self'" },
216+ cspDirectiveConnectSrc : {"'self' ws: wss:" },
217+ cspDirectiveChildSrc : {"'self'" },
218+ cspDirectiveScriptSrc : {"'self'" },
219+ cspDirectiveFontSrc : {"'self'" },
220+ cspDirectiveStyleSrc : {"'self' 'unsafe-inline'" },
221221 // object-src is needed to support code-server
222- CSPDirectiveObjectSrc : {"'self'" },
222+ cspDirectiveObjectSrc : {"'self'" },
223223 // blob: for loading the pwa manifest for code-server
224- CSPDirectiveManifestSrc : {"'self' blob:" },
225- CSPDirectiveFrameSrc : {"'self'" },
224+ cspDirectiveManifestSrc : {"'self' blob:" },
225+ cspDirectiveFrameSrc : {"'self'" },
226226 // data: for loading base64 encoded icons for generic applications.
227- CSPDirectiveImgSrc : {"'self' https://cdn.coder.com data:" },
228- CSPDirectiveFormAction : {"'self'" },
229- CSPDirectiveMediaSrc : {"'self'" },
227+ cspDirectiveImgSrc : {"'self' https://cdn.coder.com data:" },
228+ cspDirectiveFormAction : {"'self'" },
229+ cspDirectiveMediaSrc : {"'self'" },
230230 // Report all violations back to the server to log
231- CSPDirectiveReportURI : {"/api/private/csp/reports" },
232- CSPFrameAncestors : {"'none'" },
231+ cspDirectiveReportURI : {"/api/private/csp/reports" },
232+ cspFrameAncestors : {"'none'" },
233233
234234 // Only scripts can manipulate the dom. This prevents someone from
235235 // naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
0 commit comments