vriska/hydra
0
0
Fork 0
forked from lix-project/hydra
Code Pull requests Activity

web: serveFile: also serve a CSP putting served HTML in its own origin

Browse source
This commit is contained in:
Pierre Bourdon 2024-04-21 16:14:24 +02:00
parent 5c3e508e55
commit ee1a7a7813
Signed by untrusted user: delroth
GPG key ID: 6FB80DCD84DA0F1C
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/lib/Hydra/Controller/Build.pm
View file

@ -236,6 +236,9 @@ sub serveFile {
} }
elsif ($ls->{type} eq "regular") { elsif ($ls->{type} eq "regular") {
# Have the hosted data considered its own origin to avoid being a giant
# XSS hole.
$c->response->header('Content-Security-Policy' => 'sandbox allow-scripts');
$c->stash->{'plain'} = { data => grab(cmd => ["nix", "--experimental-features", "nix-command", $c->stash->{'plain'} = { data => grab(cmd => ["nix", "--experimental-features", "nix-command",
"store", "cat", "--store", getStoreUri(), "$path"]) }; "store", "cat", "--store", getStoreUri(), "$path"]) };