satellite/console: config flag for enabling/disabling CSP

WHAT: config flag for enabling/disabling CSP WHY: for easier testing Change-Id: If04a98071d2b147d18b95809ef6bd4c95d6a2d1d
2021-04-09 14:37:33 +03:00 · 2021-04-09 14:37:33 +03:00 · a3e6604883
commit a3e6604883
parent c4a950a40c
2 changed files with 15 additions and 8 deletions
--- a/satellite/console/consoleweb/server.go
+++ b/satellite/console/consoleweb/server.go
@ -88,6 +88,7 @@ type Config struct {
 	DocumentationURL                string `help:"url link to documentation" devDefault:"https://documentation.storj.io/" releaseDefault:"https://documentation.tardigrade.io/"`
 	CouponCodeUIEnabled             bool   `help:"indicates if user is allowed to add coupon codes to account" default:"false"`
 	FileBrowserFlowDisabled         bool   `help:"indicates if file browser flow is disabled" default:"true"`
+	CSPEnabled                      bool   `help:"indicates if Content Security Policy is enabled" devDefault:"false" releaseDefault:"true"`

 	RateLimit web.IPRateLimiterConfig

@ -279,17 +280,20 @@ func (server *Server) Close() error {
 func (server *Server) appHandler(w http.ResponseWriter, r *http.Request) {
 	header := w.Header()

-	cspValues := []string{
-		"default-src 'self'",
-		"connect-src 'self' api.segment.io *.google-analytics.com *.tardigradeshare.io " + server.config.GatewayCredentialsRequestURL,
-		"frame-ancestors " + server.config.FrameAncestors,
-		"frame-src 'self' *.stripe.com *.googletagmanager.com",
-		"img-src 'self' data: *.customer.io *.googletagmanager.com *.google-analytics.com",
-		"script-src 'sha256-wAqYV6m2PHGd1WDyFBnZmSoyfCK0jxFAns0vGbdiWUA=' 'self' *.stripe.com cdn.segment.com *.customer.io *.google-analytics.com *.googletagmanager.com",
+	if server.config.CSPEnabled {
+		cspValues := []string{
+			"default-src 'self'",
+			"connect-src 'self' api.segment.io *.google-analytics.com *.tardigradeshare.io " + server.config.GatewayCredentialsRequestURL,
+			"frame-ancestors " + server.config.FrameAncestors,
+			"frame-src 'self' *.stripe.com *.googletagmanager.com",
+			"img-src 'self' data: *.customer.io *.googletagmanager.com *.google-analytics.com",
+			"script-src 'sha256-wAqYV6m2PHGd1WDyFBnZmSoyfCK0jxFAns0vGbdiWUA=' 'self' *.stripe.com cdn.segment.com *.customer.io *.google-analytics.com *.googletagmanager.com",
+		}
+
+		header.Set("Content-Security-Policy", strings.Join(cspValues, "; "))
 	}

 	header.Set(contentType, "text/html; charset=UTF-8")
-	header.Set("Content-Security-Policy", strings.Join(cspValues, "; "))
 	header.Set("X-Content-Type-Options", "nosniff")
 	header.Set("Referrer-Policy", "same-origin") // Only expose the referring url when navigating around the satellite itself.

--- a/scripts/testdata/satellite-config.yaml.lock
+++ b/scripts/testdata/satellite-config.yaml.lock
@ -94,6 +94,9 @@ compensation.withheld-percents: 75,75,75,50,50,50,25,25,25,0,0,0,0,0,0
 # indicates if user is allowed to add coupon codes to account
 # console.coupon-code-ui-enabled: false

+# indicates if Content Security Policy is enabled
+# console.csp-enabled: true
+
 # default project limits for users
 # console.default-project-limit: 3