csp: we never use <base>

2018-07-28 05:16:51 +02:00 · 2018-07-28 05:16:51 +02:00 · fe959e68a4
parent cb094c7e78
commit fe959e68a4
2 changed files with 6 additions and 3 deletions
--- a/app/templating/AssetHelper.scala
+++ b/app/templating/AssetHelper.scala
@ -102,7 +102,8 @@ trait AssetHelper { self: I18nHelper =>
      frameSrc = List("'self'", assets, "https://www.youtube.com"),
      workerSrc = List("'self'", assets),
      imgSrc = List("data:", "*"),
-      scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com")
+      scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com"),
+      baseUri = List("'none'")
    )
  }

--- a/modules/common/src/main/ContentSecurityPolicy.scala
+++ b/modules/common/src/main/ContentSecurityPolicy.scala
@ -8,7 +8,8 @@ case class ContentSecurityPolicy(
    frameSrc: List[String],
    workerSrc: List[String],
    imgSrc: List[String],
-    scriptSrc: List[String]
+    scriptSrc: List[String],
+    baseUri: List[String]
 ) {

  private def withScriptSrc(source: String) = copy(scriptSrc = source :: scriptSrc)
@ -66,7 +67,8 @@ case class ContentSecurityPolicy(
      "frame-src " -> frameSrc,
      "worker-src " -> workerSrc,
      "img-src " -> imgSrc,
-      "script-src " -> scriptSrc
+      "script-src " -> scriptSrc,
+      "base-uri " -> baseUri
    ) collect {
        case (directive, sources) if sources.nonEmpty =>
          sources.mkString(directive, " ", ";")