Mercurial > prosody-modules
changeset 5547:d4a2997deae9
mod_http_oauth2: Make CSP configurable
E.g. to enable forbidding all scripts if you don't use any scripts, or
allow scripts from your separate static content domain, etc.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 11 Jun 2023 14:06:28 +0200 |
| parents | ae20da6d377d |
| children | fd3c12c40cd9 |
| files | mod_http_oauth2/README.markdown mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 2 files changed, 10 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/README.markdown Sun Jun 11 14:03:27 2023 +0200 +++ b/mod_http_oauth2/README.markdown Sun Jun 11 14:06:28 2023 +0200 @@ -85,6 +85,13 @@ } ``` +If you know what features your templates use use you can adjust the +`Content-Security-Policy` header to only allow what is needed: + +```lua +oauth2_security_policy = "default-src 'self'" -- this is the default +``` + ### Token parameters The following options configure the lifetime of tokens issued by the module.
--- a/mod_http_oauth2/mod_http_oauth2.lua Sun Jun 11 14:03:27 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Sun Jun 11 14:06:28 2023 +0200 @@ -72,6 +72,8 @@ local site_name = module:get_option_string("site_name", module.host); +local security_policy = module:get_option_string("oauth2_security_policy", "default-src 'self'"); + local render_html = require"util.interpolation".new("%b{}", st.xml_escape); local function render_page(template, data, sensitive) data = data or {}; @@ -80,7 +82,7 @@ status_code = data.error and data.error.code or 200; headers = { ["Content-Type"] = "text/html; charset=utf-8"; - ["Content-Security-Policy"] = "default-src 'self'"; + ["Content-Security-Policy"] = security_policy; ["Referrer-Policy"] = "no-referrer"; ["X-Frame-Options"] = "DENY"; ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private";