From b72528be5074f3e62e9ae2c2ae8ef9c07a0b4dd3 Mon Sep 17 00:00:00 2001 From: Pierre Bourdon Date: Sun, 21 Apr 2024 16:14:24 +0200 Subject: [PATCH] web: serveFile: also serve a CSP putting served HTML in its own origin --- src/lib/Hydra/Controller/Build.pm | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lib/Hydra/Controller/Build.pm b/src/lib/Hydra/Controller/Build.pm index f8587169..de2c204d 100644 --- a/src/lib/Hydra/Controller/Build.pm +++ b/src/lib/Hydra/Controller/Build.pm @@ -234,6 +234,9 @@ sub serveFile { } elsif ($ls->{type} eq "regular") { + # Have the hosted data considered its own origin to avoid being a giant + # XSS hole. + $c->response->header('Content-Security-Policy' => 'sandbox allow-scripts'); $c->stash->{'plain'} = { data => grab(cmd => ["nix", "--experimental-features", "nix-command", "store", "cat", "--store", getStoreUri(), "$path"]) };