web: serveFile: also serve a CSP putting served HTML in its own origin

2024-04-21 16:14:24 +02:00 · 2024-04-21 16:14:24 +02:00 · ee1a7a7813
parent 5c3e508e55
commit ee1a7a7813
1 changed files with 3 additions and 0 deletions
--- a/src/lib/Hydra/Controller/Build.pm
+++ b/src/lib/Hydra/Controller/Build.pm
@ -236,6 +236,9 @@ sub serveFile {
    }

    elsif ($ls->{type} eq "regular") {
+        # Have the hosted data considered its own origin to avoid being a giant
+        # XSS hole.
+        $c->response->header('Content-Security-Policy' => 'sandbox allow-scripts');

        $c->stash->{'plain'} = { data => grab(cmd => ["nix", "--experimental-features", "nix-command",
                                                      "store", "cat", "--store", getStoreUri(), "$path"]) };