From cecd7bc95ed7d5a52f87396eb4bec59c7193913d Mon Sep 17 00:00:00 2001 From: Mark Phelps <209477+markphelps@users.noreply.github.com> Date: Mon, 30 Jan 2023 11:59:39 -0500 Subject: [PATCH] fix: disable csp headers in non-release mode for ui dev (#1304) * fix: disable csp headers in non-release mode for ui dev * chore: cleanup --- cmd/flipt/main.go | 4 +--- internal/cmd/http.go | 7 +++++-- internal/info/flipt.go | 4 ++++ 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/cmd/flipt/main.go b/cmd/flipt/main.go index 74fbe94956..cc83612eaf 100644 --- a/cmd/flipt/main.go +++ b/cmd/flipt/main.go @@ -33,15 +33,13 @@ import ( _ "github.com/golang-migrate/migrate/v4/source/file" ) -const devVersion = "dev" - var ( cfg *config.Config cfgWarnings []string cfgPath string forceMigrate bool - version = devVersion + version = "dev" commit string date string goVersion = runtime.Version() diff --git a/internal/cmd/http.go b/internal/cmd/http.go index 091f124126..0bf88980ab 100644 --- a/internal/cmd/http.go +++ b/internal/cmd/http.go @@ -81,8 +81,11 @@ func NewHTTPServer( logger.Info("CORS enabled", zap.Strings("allowed_origins", cfg.Cors.AllowedOrigins)) } - r.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff")) - r.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; img-src * data:;")) + // TODO: replace with more robust 'mode' detection + if !info.IsDevelopment() { + r.Use(middleware.SetHeader("X-Content-Type-Options", "nosniff")) + r.Use(middleware.SetHeader("Content-Security-Policy", "default-src 'self'; img-src * data:;")) + } r.Use(middleware.RequestID) r.Use(middleware.RealIP) diff --git a/internal/info/flipt.go b/internal/info/flipt.go index bee3beef0a..1fa70a9435 100644 --- a/internal/info/flipt.go +++ b/internal/info/flipt.go @@ -15,6 +15,10 @@ type Flipt struct { IsRelease bool `json:"isRelease"` } +func (f Flipt) IsDevelopment() bool { + return f.Version == "dev" && !f.IsRelease +} + func (f Flipt) ServeHTTP(w http.ResponseWriter, r *http.Request) { var ( out []byte