You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Therefore, I think the correct CSP would be like the following (in pkg/server/server.go):
// SecurityHeadersHandler returns a middleware which sets common security// HTTP headers on the response to mitigate common web vulnerabilities.funcSecurityHeadersHandler(next http.Handler) http.Handler {
csp:= []string{
"default-src 'self'",
"font-src 'self' data:",
"form-action 'self'",
"frame-ancestors 'none'",
"script-src 'self'",
"style-src 'self' 'unsafe-inline'",
}
If you see this a right approach I can try to test it and open a PR.
The text was updated successfully, but these errors were encountered:
I have been trying to spin up my own instance of yopass with the Docker image in DockerHub.
When I access the instance the CSP emitted by the server is the following:
The problem resides within
font-src
... Taking a look into the devtools console it looks like the following:Taking a look at the CSS file that loads fonts it looks like the following:
Note that the third
@font-face
enters in conflict with the current CSP defined in:https://github.com/jhaals/yopass/blob/2e4058d860fad7c7a014da57acd81c4bad3b5e00/pkg/server/server.go#L182C21-L182C21
Therefore, I think the correct CSP would be like the following (in
pkg/server/server.go
):If you see this a right approach I can try to test it and open a PR.
The text was updated successfully, but these errors were encountered: