Skip to content

Commit

Permalink
feature (csp): admin option to enable/disable csp
Browse files Browse the repository at this point in the history
One of the use case for this is to be able to open an html document via
an iframe and have the content of the document to be fully loaded when
we can assume the storage setup in Filestash is trusted
  • Loading branch information
mickael-kerjean committed Apr 2, 2024
1 parent 8de87be commit 3d65a40
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions server/ctrl/files.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ type FileInfo struct {
var (
file_cache AppCache
zip_timeout func() int
disable_csp func() bool
)

func init() {
Expand All @@ -45,12 +46,24 @@ func init() {
return f
}).Int()
}
disable_csp = func() bool {
return Config.Get("features.protection.disable_csp").Schema(func(f *FormElement) *FormElement {
if f == nil {
f = &FormElement{}
}
f.Name = "disable_csp"
f.Type = "boolean"
f.Description = "Disable the content security policy. Unless you 100% trust the content in your storage and want to execute code running from that storage, you shouldn't have this option checked"
return f
}).Bool()
}
file_cache = NewAppCache()
file_cache.OnEvict(func(key string, value interface{}) {
os.RemoveAll(filepath.Join(GetAbsolutePath(TMP_PATH), key))
})
Hooks.Register.Onload(func() {
zip_timeout()
disable_csp()
})
}

Expand Down Expand Up @@ -296,10 +309,10 @@ func FileCat(ctx *App, res http.ResponseWriter, req *http.Request) {
}

// publish headers
if contentLength != -1 {
if contentLength >= 0 {
header.Set("Content-Length", fmt.Sprintf("%d", contentLength))
}
if header.Get("Content-Security-Policy") == "" {
if disable_csp() == false {
header.Set("Content-Security-Policy", "default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'; font-src data:; script-src-elem 'self'")
}
if fname := query.Get("name"); fname != "" {
Expand Down

0 comments on commit 3d65a40

Please sign in to comment.