comparison mod_http_oauth2/mod_http_oauth2.lua @ 5547:d4a2997deae9

mod_http_oauth2: Make CSP configurable E.g. to enable forbidding all scripts if you don't use any scripts, or allow scripts from your separate static content domain, etc.
author Kim Alvefur <zash@zash.se>
date Sun, 11 Jun 2023 14:06:28 +0200
parents cb141088eff0
children fd3c12c40cd9
comparison
equal deleted inserted replaced
5546:ae20da6d377d 5547:d4a2997deae9
70 js = read_file(template_path, "script.js"); 70 js = read_file(template_path, "script.js");
71 }; 71 };
72 72
73 local site_name = module:get_option_string("site_name", module.host); 73 local site_name = module:get_option_string("site_name", module.host);
74 74
75 local security_policy = module:get_option_string("oauth2_security_policy", "default-src 'self'");
76
75 local render_html = require"util.interpolation".new("%b{}", st.xml_escape); 77 local render_html = require"util.interpolation".new("%b{}", st.xml_escape);
76 local function render_page(template, data, sensitive) 78 local function render_page(template, data, sensitive)
77 data = data or {}; 79 data = data or {};
78 data.site_name = site_name; 80 data.site_name = site_name;
79 local resp = { 81 local resp = {
80 status_code = data.error and data.error.code or 200; 82 status_code = data.error and data.error.code or 200;
81 headers = { 83 headers = {
82 ["Content-Type"] = "text/html; charset=utf-8"; 84 ["Content-Type"] = "text/html; charset=utf-8";
83 ["Content-Security-Policy"] = "default-src 'self'"; 85 ["Content-Security-Policy"] = security_policy;
84 ["Referrer-Policy"] = "no-referrer"; 86 ["Referrer-Policy"] = "no-referrer";
85 ["X-Frame-Options"] = "DENY"; 87 ["X-Frame-Options"] = "DENY";
86 ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private"; 88 ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private";
87 ["Pragma"] = "no-cache"; 89 ["Pragma"] = "no-cache";
88 }; 90 };