apply csp almost everywhere
parent
f1b021d770
commit
a9403f93f8
|
@ -92,7 +92,7 @@ object Tv extends LilaController {
|
|||
} as JAVASCRIPT withHeaders (CACHE_CONTROL -> "max-age=86400")
|
||||
}
|
||||
|
||||
def frame = Action.async { req =>
|
||||
def frame = Action.async { implicit req =>
|
||||
Env.tv.tv.getBestGame map {
|
||||
case None => NotFound
|
||||
case Some(game) => Ok(views.html.tv.embed(
|
||||
|
|
|
@ -2,6 +2,7 @@ package lila.app
|
|||
package templating
|
||||
|
||||
import controllers.routes
|
||||
import play.api.mvc.RequestHeader
|
||||
import play.twirl.api.Html
|
||||
|
||||
import lila.api.Context
|
||||
|
@ -86,9 +87,9 @@ trait AssetHelper { self: I18nHelper =>
|
|||
s"""<script src="$local"></script>"""
|
||||
}
|
||||
|
||||
def defaultCsp(implicit ctx: Context): ContentSecurityPolicy = {
|
||||
val assets = if (ctx.req.secure) "https://" + assetDomain else assetDomain
|
||||
val socket = (if (ctx.req.secure) "wss://" else "ws://") + socketDomain
|
||||
def basicCsp(implicit req: RequestHeader): ContentSecurityPolicy = {
|
||||
val assets = if (req.secure) "https://" + assetDomain else assetDomain
|
||||
val socket = (if (req.secure) "wss://" else "ws://") + socketDomain
|
||||
ContentSecurityPolicy(
|
||||
defaultSrc = List("'self'", assets),
|
||||
connectSrc = List("'self'", assets, socket, lila.api.Env.current.ExplorerEndpoint, lila.api.Env.current.TablebaseEndpoint),
|
||||
|
@ -96,10 +97,15 @@ trait AssetHelper { self: I18nHelper =>
|
|||
fontSrc = List("'self'", assetDomain, "https://fonts.gstatic.com"),
|
||||
childSrc = List("'self'", "https://youtube.com"),
|
||||
imgSrc = List("data:", "*"),
|
||||
scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com", ctx.nonce.scriptSrc)
|
||||
scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com")
|
||||
)
|
||||
}
|
||||
|
||||
def defaultCsp(implicit ctx: Context): ContentSecurityPolicy = {
|
||||
implicit val req = ctx.req
|
||||
basicCsp.withScriptSrc(ctx.nonce.scriptSrc)
|
||||
}
|
||||
|
||||
def embedJsUnsafe(js: String)(implicit ctx: Context): Html = Html {
|
||||
s"""<script nonce="${ctx.nonce}">$js</script>"""
|
||||
}
|
||||
|
|
|
@ -4,8 +4,9 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="Content-Security-Policy" content="@defaultCsp">
|
||||
<title>404 - Game not found</title>
|
||||
<link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet' type='text/css'>
|
||||
<link href="http://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet" type="text/css">
|
||||
@ctx.currentBg match {
|
||||
case "dark" => { @cssTag("dark.css") }
|
||||
case "transp" => { @cssTag("dark.css")@cssTag("transp.css") }
|
||||
|
|
|
@ -24,8 +24,8 @@ csp: Option[String] = None)(body: Html)(implicit ctx: Context)
|
|||
<meta http-equiv="Content-Security-Policy" content="@csp.getOrElse(defaultCsp)">
|
||||
@if(isProd) {
|
||||
<title>@fullTitle.getOrElse{@title • lichess.org}</title>
|
||||
<link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet'>
|
||||
<link href="//fonts.googleapis.com/css?family=Roboto+Mono:500&text=0123456789:." rel="stylesheet">
|
||||
<link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet">
|
||||
<link href="https://fonts.googleapis.com/css?family=Roboto+Mono:500&text=0123456789:." rel="stylesheet">
|
||||
} else {
|
||||
<title>[dev] @fullTitle.getOrElse{@title • lichess.org}</title>
|
||||
@cssAt("offline/font.noto.css")
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
<html lang="@lang.language">
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="Content-Security-Policy" content="@defaultCsp">
|
||||
<title>lichess.org training</title>
|
||||
@ctx.currentBg match {
|
||||
case "dark" => { @cssTag("dark.css") }
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8"/>
|
||||
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com; script-src https://cdn.jsdelivr.net blob:; connect-src https://raw.githubusercontent.com; img-src data: https://lichess1.org;">
|
||||
<title>Lichess HTTP API documentation</title>
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<link href="https://fonts.googleapis.com/css?family=Montserrat:300,400,700|Roboto:300,400,700" rel="stylesheet">
|
||||
|
|
|
@ -4,8 +4,9 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="Content-Security-Policy" content="@defaultCsp">
|
||||
<title>@s.name: @chapter.name</title>
|
||||
<link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet'>
|
||||
<link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet">
|
||||
@ctx.currentBg match {
|
||||
case "dark" => { @cssTag("dark.css") }
|
||||
case "transp" => { @cssTag("dark.css")@cssTag("transp.css") }
|
||||
|
|
|
@ -4,8 +4,9 @@
|
|||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta http-equiv="Content-Security-Policy" content="@defaultCsp">
|
||||
<title>404 - Study not available</title>
|
||||
<link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet' type='text/css'>
|
||||
<link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet" type="text/css">
|
||||
@ctx.currentBg match {
|
||||
case "dark" => { @cssTag("dark.css") }
|
||||
case "transp" => { @cssTag("dark.css")@cssTag("transp.css") }
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
@(pov: Pov, bg: String, theme: String, assetVersion: lila.common.AssetVersion)
|
||||
@(pov: Pov, bg: String, theme: String, assetVersion: lila.common.AssetVersion)(implicit req: RequestHeader)
|
||||
|
||||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="Content-Security-Policy" content="@basicCsp">
|
||||
<title>lichess.org TV</title>
|
||||
@if(bg == "dark") {
|
||||
@cssAt("stylesheets/dark.css", true, assetVersion)
|
||||
|
|
|
@ -10,6 +10,8 @@ case class ContentSecurityPolicy(
|
|||
scriptSrc: List[String]
|
||||
) {
|
||||
|
||||
def withScriptSrc(source: String) = copy(scriptSrc = source :: scriptSrc)
|
||||
|
||||
override def toString: String =
|
||||
List(
|
||||
"default-src " -> defaultSrc,
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
.game { margin-bottom: 2em; }
|
||||
</style>
|
||||
<meta content="noindex, nofollow" name="robots">
|
||||
<link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet'>
|
||||
<link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet">
|
||||
</head>
|
||||
<body>
|
||||
<h1>lichess.org</h1>
|
||||
|
|
Loading…
Reference in New Issue