owncast/router/middleware/headers.go

package middleware

import (
	"fmt"
	"net/http"
	"strings"
)

// SetHeaders will set our global headers for web resources.
func SetHeaders(w http.ResponseWriter, nonce string) {
	// Content security policy
	csp := []string{
		fmt.Sprintf("script-src '%s' 'self'", nonce),
		"worker-src 'self' blob:", // No single quotes around blob:
	}
	w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))
}
Merge pull request from GHSA-2hfj-cxw7-g45p 2021-08-31 04:43:28 +02:00			`package middleware`

			`import (`
Explicitly add unsafe-eval only when running automated browser tests 2021-09-18 19:06:47 +02:00			`"fmt"`
Merge pull request from GHSA-2hfj-cxw7-g45p 2021-08-31 04:43:28 +02:00			`"net/http"`
			`"strings"`
			`)`

			`// SetHeaders will set our global headers for web resources.`
Support CSP nonce for webv2. Closes #2127 2022-12-13 01:57:17 +01:00			`func SetHeaders(w http.ResponseWriter, nonce string) {`
Merge pull request from GHSA-2hfj-cxw7-g45p 2021-08-31 04:43:28 +02:00			`// Content security policy`
			`csp := []string{`
Support CSP nonce for webv2. Closes #2127 2022-12-13 01:57:17 +01:00			`fmt.Sprintf("script-src '%s' 'self'", nonce),`
Merge pull request from GHSA-2hfj-cxw7-g45p 2021-08-31 04:43:28 +02:00			`"worker-src 'self' blob:", // No single quotes around blob:`
			`}`
			`w.Header().Set("Content-Security-Policy", strings.Join(csp, "; "))`
			`}`