Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5547:d4a2997deae9
mod_http_oauth2: Make CSP configurable
E.g. to enable forbidding all scripts if you don't use any scripts, or
allow scripts from your separate static content domain, etc.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 11 Jun 2023 14:06:28 +0200 |
parents | cb141088eff0 |
children | fd3c12c40cd9 |
comparison
equal
deleted
inserted
replaced
5546:ae20da6d377d | 5547:d4a2997deae9 |
---|---|
70 js = read_file(template_path, "script.js"); | 70 js = read_file(template_path, "script.js"); |
71 }; | 71 }; |
72 | 72 |
73 local site_name = module:get_option_string("site_name", module.host); | 73 local site_name = module:get_option_string("site_name", module.host); |
74 | 74 |
75 local security_policy = module:get_option_string("oauth2_security_policy", "default-src 'self'"); | |
76 | |
75 local render_html = require"util.interpolation".new("%b{}", st.xml_escape); | 77 local render_html = require"util.interpolation".new("%b{}", st.xml_escape); |
76 local function render_page(template, data, sensitive) | 78 local function render_page(template, data, sensitive) |
77 data = data or {}; | 79 data = data or {}; |
78 data.site_name = site_name; | 80 data.site_name = site_name; |
79 local resp = { | 81 local resp = { |
80 status_code = data.error and data.error.code or 200; | 82 status_code = data.error and data.error.code or 200; |
81 headers = { | 83 headers = { |
82 ["Content-Type"] = "text/html; charset=utf-8"; | 84 ["Content-Type"] = "text/html; charset=utf-8"; |
83 ["Content-Security-Policy"] = "default-src 'self'"; | 85 ["Content-Security-Policy"] = security_policy; |
84 ["Referrer-Policy"] = "no-referrer"; | 86 ["Referrer-Policy"] = "no-referrer"; |
85 ["X-Frame-Options"] = "DENY"; | 87 ["X-Frame-Options"] = "DENY"; |
86 ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private"; | 88 ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private"; |
87 ["Pragma"] = "no-cache"; | 89 ["Pragma"] = "no-cache"; |
88 }; | 90 }; |