New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cmd/pomerium: wrap global mux with standard middleware #117
cmd/pomerium: wrap global mux with standard middleware #117
Conversation
Codecov Report
@@ Coverage Diff @@
## master #117 +/- ##
=========================================
+ Coverage 81.35% 82.16% +0.8%
=========================================
Files 32 32
Lines 1888 1861 -27
=========================================
- Hits 1536 1529 -7
+ Misses 280 262 -18
+ Partials 72 70 -2 |
b5129dd
to
6016a94
Compare
6016a94
to
f357397
Compare
"X-Frame-Options": "SAMEORIGIN", | ||
"X-XSS-Protection": "1; mode=block", | ||
"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload", | ||
"Content-Security-Policy": "default-src 'none'; style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='; img-src 'self';", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this Content-Security-Policy header is breaking loading javascripts:
Refused to load the script '<URL>' because it violates the following Content Security Policy directive: "default-src 'none'". Note that 'script-src-elem' was not explicitly set, so 'default-src' is used as a fallback.
XXX.apkay.com/:83 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'sha256-pSTVzZsFAqd2U3QYu+BoBDtuJWaPM/+qMy/dBRrhb5Y='". Either the 'unsafe-inline' keyword, a hash ('sha256-wycEadbqyap1lzI8fe5whjcPll4StPOU2pDRk+cjffU='), or a nonce ('nonce-...') is required to enable inline execution.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @yegle . The CSP/Referrer-Policy should only apply to authenticate service's http handlers. Good catch. Fix incoming.
These changes abstract the shared middleware to the global serve mux. Headers, request id, loggers, and health checks (ping) middleware are now applied on all routes including 4xx and 5xx responses.
See
Checklist:
/cc @yegle