diff --git a/coderd/coderd.go b/coderd/coderd.go index 6de169cce71b7..cca4faf36a203 100644 --- a/coderd/coderd.go +++ b/coderd/coderd.go @@ -1210,7 +1210,7 @@ func New(options *Options) *API { // Add CSP headers to all static assets and pages. CSP headers only affect // browsers, so these don't make sense on api routes. - cspMW := httpmw.CSPHeaders(func() []string { + cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string { if api.DeploymentValues.Dangerous.AllowAllCors { // In this mode, allow all external requests return []string{"*"} diff --git a/coderd/httpmw/csp.go b/coderd/httpmw/csp.go index fde5c62d8bd6f..0862a0cd7cb2a 100644 --- a/coderd/httpmw/csp.go +++ b/coderd/httpmw/csp.go @@ -43,7 +43,9 @@ const ( // CSPHeaders returns a middleware that sets the Content-Security-Policy header // for coderd. It takes a function that allows adding supported external websocket // hosts. This is primarily to support the terminal connecting to a workspace proxy. -func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Handler { +// +//nolint:revive +func CSPHeaders(telemetry bool, websocketHosts func() []string) func(next http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Content-Security-Policy disables loading certain content types and can prevent XSS injections. @@ -83,6 +85,11 @@ func CSPHeaders(websocketHosts func() []string) func(next http.Handler) http.Han // "require-trusted-types-for" : []string{"'script'"}, } + if telemetry { + // If telemetry is enabled, we report to coder.com. + cspSrcs.Append(cspDirectiveConnectSrc, "https://coder.com") + } + // This extra connect-src addition is required to support old webkit // based browsers (Safari). // See issue: https://github.com/w3c/webappsec-csp/issues/7 diff --git a/coderd/httpmw/csp_test.go b/coderd/httpmw/csp_test.go index 2dca209faa5c3..d389d778eeba6 100644 --- a/coderd/httpmw/csp_test.go +++ b/coderd/httpmw/csp_test.go @@ -19,7 +19,7 @@ func TestCSPConnect(t *testing.T) { r := httptest.NewRequest(http.MethodGet, "/", nil) rw := httptest.NewRecorder() - httpmw.CSPHeaders(func() []string { + httpmw.CSPHeaders(false, func() []string { return expected })(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { rw.WriteHeader(http.StatusOK)