diff options
author | Jan Lehnardt <jan@apache.org> | 2021-07-23 22:28:42 +0200 |
---|---|---|
committer | Jan Lehnardt <jan@apache.org> | 2021-09-08 15:32:39 +0200 |
commit | 64281c0358e206a54e3b1386a7bc3b3e7c30547f (patch) | |
tree | aa44887c3bcbd1bf8b6fee45b8fba1a704021dbb /rel/overlay | |
parent | aabc7ae445c47ba57d15a4b6c6601bd0d818abb7 (diff) | |
download | couchdb-64281c0358e206a54e3b1386a7bc3b3e7c30547f.tar.gz |
feat: add more fine-grained CSP support
This introduces CSP settings for attachments and show/list funs and
streamlines the configuration with the existing Fauxton CSP options.
Deprecates the old `[csp] enable` and `[csp] header_value` config
options, but they are honoured going forward.
They are replaced with `[csp] utils_enable` and `[csp] utils_header_value`
respectively. The funcitonality and default values remain the same.
In addition, these new config options are added, along with their
default values:
```
[csp]
attachments_enable = true
attachments_header_value = sandbox
showlist_enable = true
showlist_header_value = sandbox
```
These add `Content-Security-Policy` headers to all attachment requests
and to all non-JSON show and all list function responses.
Co-authored-by: Nick Vatamaniuc <vatamane@gmail.com>
Co-authored-by: Robert Newson <rnewson@apache.org>
Diffstat (limited to 'rel/overlay')
-rw-r--r-- | rel/overlay/etc/default.ini | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index d64fb0a0c..d3710ce44 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -314,10 +314,14 @@ authentication_db = _users ; max_iterations, password_scheme, password_regexp, proxy_use_secret, ; public_fields, secret, users_db_public, cookie_domain, same_site -; CSP (Content Security Policy) Support for _utils +; CSP (Content Security Policy) Support [csp] -;enable = true -; header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; +;utils_enable = true +;utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; +;attachments_enable = true +;attachments_header_value = sandbox +;showlist_enable = true +;showlist_header_value = sandbox [cors] ;credentials = false |