Skip to content

Commit bc631e6

Browse files
kylecarbskylecarbs
committed
fix: allow coder.com in CSP if telemetry is enabled
1 parent 0793a4b commit bc631e6

File tree

3 files changed

+8
-3
lines changed

3 files changed

+8
-3
lines changed

coderd/coderd.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1210,7 +1210,7 @@ func New(options *Options) *API {
12101210

12111211
// Add CSP headers to all static assets and pages. CSP headers only affect
12121212
// browsers, so these don't make sense on api routes.
1213-
cspMW := httpmw.CSPHeaders(func() []string {
1213+
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
12141214
if api.DeploymentValues.Dangerous.AllowAllCors {
12151215
// In this mode, allow all external requests
12161216
return []string{"*"}

coderd/httpmw/csp.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ const (
4343
// CSPHeaders returns a middleware that sets the Content-Security-Policy header
4444
// for coderd. It takes a function that allows adding supported external websocket
4545
// hosts. This is primarily to support the terminal connecting to a workspace proxy.
46-
func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler {
46+
func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler {
4747
return func(next http.Handler) http.Handler {
4848
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
4949
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
@@ -83,6 +83,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han
8383
// "require-trusted-types-for" : []string{"'script'"},
8484
}
8585

86+
if telemetry {
87+
// If telemetry is enabled, we report to coder.com.
88+
cspSrcs.Append(cspDirectiveConnectSrc, "https://coder.com")
89+
}
90+
8691
// This extra connect-src addition is required to support old webkit
8792
// based browsers (Safari).
8893
// See issue: https://github.com/w3c/webappsec-csp/issues/7

coderd/httpmw/csp_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ func TestCSPConnect(t *testing.T) {
1919
r := httptest.NewRequest(http.MethodGet, "/", nil)
2020
rw := httptest.NewRecorder()
2121

22-
httpmw.CSPHeaders(func() []string {
22+
httpmw.CSPHeaders(false, func() []string {
2323
return expected
2424
})(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
2525
rw.WriteHeader(http.StatusOK)

0 commit comments

Comments
 (0)