fix: set csp header only for resource (#836)

2024-12-29 08:33:50 +08:00 · 2022-12-23 20:02:42 +08:00 · 2022-12-23 20:02:42 +08:00 · 99d9cc9168
commit 99d9cc9168
parent 119603da5d
2 changed files with 1 additions and 4 deletions
--- a/server/resource.go
+++ b/server/resource.go
@ -265,6 +265,7 @@ func (s *Server) registerResourcePublicRoutes(g *echo.Group) {
 		c.Response().Writer.Header().Set("Content-Type", resource.Type)
 		c.Response().Writer.WriteHeader(http.StatusOK)
 		c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+		c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'self'")
 		if _, err := c.Response().Writer.Write(resource.Blob); err != nil {
 			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write response").SetInternal(err)
 		}
--- a/server/server.go
+++ b/server/server.go
@ -44,10 +44,6 @@ func NewServer(profile *profile.Profile) *Server {
 		Timeout:      30 * time.Second,
 	}))

-	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
-		ContentSecurityPolicy: "default-src 'self'",
-	}))
-
 	embedFrontend(e)

 	// In dev mode, set the const secret key to make signin session persistence.