From 3d65a40273aadaf4c7b27a8a4b059e1ccd09aa4c Mon Sep 17 00:00:00 2001 From: MickaelK Date: Tue, 2 Apr 2024 18:53:34 +1100 Subject: [PATCH] feature (csp): admin option to enable/disable csp One of the use case for this is to be able to open an html document via an iframe and have the content of the document to be fully loaded when we can assume the storage setup in Filestash is trusted --- server/ctrl/files.go | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/server/ctrl/files.go b/server/ctrl/files.go index 3299d0ff..0095bcda 100644 --- a/server/ctrl/files.go +++ b/server/ctrl/files.go @@ -29,6 +29,7 @@ type FileInfo struct { var ( file_cache AppCache zip_timeout func() int + disable_csp func() bool ) func init() { @@ -45,12 +46,24 @@ func init() { return f }).Int() } + disable_csp = func() bool { + return Config.Get("features.protection.disable_csp").Schema(func(f *FormElement) *FormElement { + if f == nil { + f = &FormElement{} + } + f.Name = "disable_csp" + f.Type = "boolean" + f.Description = "Disable the content security policy. Unless you 100% trust the content in your storage and want to execute code running from that storage, you shouldn't have this option checked" + return f + }).Bool() + } file_cache = NewAppCache() file_cache.OnEvict(func(key string, value interface{}) { os.RemoveAll(filepath.Join(GetAbsolutePath(TMP_PATH), key)) }) Hooks.Register.Onload(func() { zip_timeout() + disable_csp() }) } @@ -296,10 +309,10 @@ func FileCat(ctx *App, res http.ResponseWriter, req *http.Request) { } // publish headers - if contentLength != -1 { + if contentLength >= 0 { header.Set("Content-Length", fmt.Sprintf("%d", contentLength)) } - if header.Get("Content-Security-Policy") == "" { + if disable_csp() == false { header.Set("Content-Security-Policy", "default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'; font-src data:; script-src-elem 'self'") } if fname := query.Get("name"); fname != "" {