nickva commented on a change in pull request #3724:
URL: https://github.com/apache/couchdb/pull/3724#discussion_r701460948
##########
File path: src/chttpd/src/chttpd_util.erl
##########
@@ -60,3 +61,40 @@ get_chttpd_auth_config_integer(Key, Default) ->
get_chttpd_auth_config_boolean(Key, Default) ->
config:get_boolean("chttpd_auth", Key,
config:get_boolean("couch_httpd_auth", Key, Default)).
+
+
+maybe_add_csp_header(Component, OriginalHeaders, DefaultHeaderValue) ->
+ Enabled = config:get_boolean("csp", Component ++ "_enable", true),
+ couch_log:info("~n CSP for ~p: Enabled~p~n", [Component, Enabled]),
+ case Enabled of
+ true ->
+ HeaderValue = config:get("csp", Component ++ "_header_value",
DefaultHeaderValue),
+ % As per
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies
+ % The top most CSP header defines the most open policy,
+ % subsequent CSP headers set by show/list functions can
+ % only further restrict the policy.
+ %
+ % Ours goes on top and we don’t have to worry about additional
+ % headers set by users.
+ couch_log:info("~n adding CSP for ~p: ~p~n", [Component,
HeaderValue]),
+ [{"Content-Security-Policy", HeaderValue} | OriginalHeaders];
+ false ->
+ % fallback for old config vars
+ case Component of
+ "utils" ->
+ handle_legacy_config(OriginalHeaders, DefaultHeaderValue);
+ _ ->
+ OriginalHeaders
+ end
+ end.
+
+handle_legacy_config(OriginalHeaders, DefaultHeaderValue) ->
+ LegacyUtilsEnabled = config:get_boolean("csp", "enable", true),
+ couch_log:info("~n Legacy CSP: Enabled~p~n", [LegacyUtilsEnabled]),
Review comment:
Minor nit as above about `~n` in log lines
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
