Move CSP from HTML meta tag to Traefik header set by OPENC3_ALLOW_HTTP#2872
Conversation
…LOW_HTTP env var Eliminates duplicate index-allow-http.html and traefik-allow-http.yaml files by moving CSP policy into Traefik headers middleware with a Go template conditional. Users can now uncomment OPENC3_ALLOW_HTTP=1 in .env to allow HTTP connections instead of swapping config files. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2872 +/- ##
==========================================
- Coverage 78.84% 78.83% -0.02%
==========================================
Files 667 667
Lines 54527 54527
Branches 728 728
==========================================
- Hits 42990 42984 -6
- Misses 11459 11465 +6
Partials 78 78
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| contentSecurityPolicy: | ||
| headers: | ||
| contentSecurityPolicy: >- | ||
| {{ if env "OPENC3_ALLOW_HTTP" }}default-src 'self' blob: data: http: https:; script-src 'unsafe-inline' 'unsafe-eval' http: https: blob:; connect-src blob: http: https: wss: ws:; style-src 'unsafe-inline' http: https:; object-src 'none';{{ else }}default-src 'self' blob: data: https: http://localhost:* http://host.docker.internal:* http://*.local:*; script-src 'unsafe-inline' 'unsafe-eval' https: blob: http://localhost:* http://host.docker.internal:* http://*.local:*; connect-src blob: https: wss: http://localhost:* http://host.docker.internal:* http://*.local:* ws://localhost:* ws://host.docker.internal:* ws://*.local:*; style-src 'unsafe-inline' https: http://localhost:* http://host.docker.internal:* http://*.local:*; object-src 'none';{{ end }} |
There was a problem hiding this comment.
This also allows for easily updating these values in config instead of hard coded in the html
There was a problem hiding this comment.
Syntax inconsistency {{- if vs {{ if, although i don't think there's any meaningful difference.
There was a problem hiding this comment.
So the rule is {{- at the beginning of an action removes all trailing whitespace (including newlines) from the immediately preceding text. I think this maybe does matter. I will test and change all to one style.
There was a problem hiding this comment.
The {{- actually broke the template so I removed these from the other templates
| contentSecurityPolicy: | ||
| headers: | ||
| contentSecurityPolicy: >- | ||
| {{ if env "OPENC3_ALLOW_HTTP" }}default-src 'self' blob: data: http: https:; script-src 'unsafe-inline' 'unsafe-eval' http: https: blob:; connect-src blob: http: https: wss: ws:; style-src 'unsafe-inline' http: https:; object-src 'none';{{ else }}default-src 'self' blob: data: https: http://localhost:* http://host.docker.internal:* http://*.local:*; script-src 'unsafe-inline' 'unsafe-eval' https: blob: http://localhost:* http://host.docker.internal:* http://*.local:*; connect-src blob: https: wss: http://localhost:* http://host.docker.internal:* http://*.local:* ws://localhost:* ws://host.docker.internal:* ws://*.local:*; style-src 'unsafe-inline' https: http://localhost:* http://host.docker.internal:* http://*.local:*; object-src 'none';{{ end }} |
There was a problem hiding this comment.
Syntax inconsistency {{- if vs {{ if, although i don't think there's any meaningful difference.
|
3 participants
Eliminates duplicate index-allow-http.html and traefik-allow-http.yaml files by moving CSP policy into Traefik headers middleware with a Go template conditional. Users can now uncomment OPENC3_ALLOW_HTTP=1 in .env to allow HTTP connections instead of swapping config files.