diff --git a/internal/server/const.go b/internal/server/const.go index 098a5bea..ae815cd4 100644 --- a/internal/server/const.go +++ b/internal/server/const.go @@ -59,7 +59,6 @@ X_AUTHELIA_HEALTHCHECK_PATH=%s ` const ( - cspDefaultTemplate = "default-src 'self'; object-src 'none'; style-src 'self' 'nonce-%s'" - cspDefaultDevTemplate = "default-src 'self' 'unsafe-eval'; object-src 'none'; style-src 'self' 'nonce-%s'" - cspNoncePlaceholder = "${NONCE}" + cspDefaultTemplate = "default-src 'self'%s; frame-src 'none'; object-src 'none'; style-src 'self' 'nonce-%s'; frame-ancestors 'none'; base-uri 'self'" + cspNoncePlaceholder = "${NONCE}" ) diff --git a/internal/server/template.go b/internal/server/template.go index 31b81250..9c5bb523 100644 --- a/internal/server/template.go +++ b/internal/server/template.go @@ -76,9 +76,9 @@ func ServeTemplatedFile(publicDir, file, assetPath, duoSelfEnrollment, rememberM case ctx.Configuration.Server.Headers.CSPTemplate != "": ctx.Response.Header.Add("Content-Security-Policy", strings.ReplaceAll(ctx.Configuration.Server.Headers.CSPTemplate, cspNoncePlaceholder, nonce)) case os.Getenv("ENVIRONMENT") == dev: - ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf(cspDefaultDevTemplate, nonce)) + ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf(cspDefaultTemplate, " 'unsafe-eval'", nonce)) default: - ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf(cspDefaultTemplate, nonce)) + ctx.Response.Header.Add("Content-Security-Policy", fmt.Sprintf(cspDefaultTemplate, "", nonce)) } err := tmpl.Execute(ctx.Response.BodyWriter(), struct{ Base, BaseURL, CSPNonce, DuoSelfEnrollment, LogoOverride, RememberMe, ResetPassword, ResetPasswordCustomURL, Session, Theme string }{Base: base, BaseURL: baseURL, CSPNonce: nonce, DuoSelfEnrollment: duoSelfEnrollment, LogoOverride: logoOverride, RememberMe: rememberMe, ResetPassword: resetPassword, ResetPasswordCustomURL: resetPasswordCustomURL, Session: session, Theme: theme})