Add CSP

Polleps · Polleps · commit a31de8826428 · 2025-09-11T14:59:45.000+02:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/browser/data-browser/vite.config.ts b/browser/data-browser/vite.config.ts
@@ -1,8 +1,9 @@
-import { defineConfig } from 'vite';
+import { defineConfig, type PluginOption } from 'vite';
 import react from '@vitejs/plugin-react';
 import { VitePWA } from 'vite-plugin-pwa';
 import webfontDownload from 'vite-plugin-webfont-dl';
 import prismjs from 'vite-plugin-prismjs';
+
 export default defineConfig({
   plugins: [
     webfontDownload(),
@@ -165,6 +166,9 @@ export default defineConfig({
       },
     },
   },
+  html: {
+    cspNonce: 'ATOMICSERVER_NONCE',
+  },
   server: {
     strictPort: true,
     host: true,
diff --git a/lib/Cargo.toml b/lib/Cargo.toml
@@ -26,7 +26,7 @@ kuchikiki = { version = "0.8.2", optional = true }
 lol_html = { version = "1", optional = true }
 rand = { version = "0.8" }
 regex = "1"
-ring = "0.17.6"
+ring = "0.17.14"
 rio_api = { version = "0.8", optional = true }
 rio_turtle = { version = "0.8", optional = true }
 serde = { version = "1", features = ["derive"] }
diff --git a/server/Cargo.toml b/server/Cargo.toml
@@ -52,6 +52,7 @@ tracing-chrome = "0.7"
 tracing-log = "0.2"
 ureq = "2"
 urlencoding = "2"
+ring = "0.17.14"
 
 [dependencies.instant-acme]
 optional = true
diff --git a/server/src/handlers/single_page_app.rs b/server/src/handlers/single_page_app.rs
@@ -11,6 +11,7 @@ pub async fn single_page(
     path: actix_web::web::Path<String>,
 ) -> AtomicServerResult<HttpResponse> {
     let template = include_str!("../../assets_tmp/index.html");
+    let csp_nonce = generate_nonce().map_err(|_e| "Failed to generate nonce")?;
     let subject = format!("{}/{}", appstate.store.get_server_url()?, path);
     let meta_tags: MetaTags = if let Ok(resource_response) =
         appstate
@@ -22,8 +23,13 @@ pub async fn single_page(
         MetaTags::default()
     };
 
-    let script = format!("<script>{}</script>", appstate.config.opts.script);
+    let script = format!(
+        "<script nonce=\"{}\">{}</script>",
+        csp_nonce, appstate.config.opts.script
+    );
+
     let body = template
+        .replace("ATOMICSERVER_NONCE", &csp_nonce)
         .replace("<!-- { inject_html_head } -->", &meta_tags.to_string())
         .replace("<!-- { inject_script } -->", &script);
 
@@ -35,6 +41,10 @@ pub async fn single_page(
             "Cache-Control",
             "no-store, no-cache, must-revalidate, private",
         ))
+        .insert_header((
+            "Content-Security-Policy",
+            format!("script-src 'nonce-{}'; worker-src 'self'", csp_nonce),
+        ))
         .body(body);
 
     Ok(resp)
@@ -159,6 +169,17 @@ fn escape_html(s: &str) -> String {
         .replace('/', "&#x2F;")
 }
 
+fn generate_nonce() -> Result<String, ring::error::Unspecified> {
+    use base64::{engine::general_purpose, Engine as _};
+    use ring::rand::{SecureRandom, SystemRandom};
+
+    let mut nonce_bytes = [0u8; 32];
+    let rng = SystemRandom::new();
+    rng.fill(&mut nonce_bytes)?;
+
+    Ok(general_purpose::URL_SAFE_NO_PAD.encode(nonce_bytes))
+}
+
 #[cfg(test)]
 mod test {
     use super::MetaTags;
