c9f79dee66
- 添加 GenerateNonce() 生成加密安全的随机 nonce - SecurityHeaders 中间件为每个请求生成唯一 nonce - CSP 策略支持 __CSP_NONCE__ 占位符动态替换 - embed_on.go 注入的内联脚本添加 nonce 属性 - 添加 Cloudflare Insights 域名到 CSP 允许列表 - 添加完整单元测试,覆盖率达到 89.8% 解决的问题: - 内联脚本违反 CSP script-src 指令 - Cloudflare Insights beacon.min.js 加载被阻止 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
60 lines
1.5 KiB
Go
60 lines
1.5 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"strings"
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/config"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
const (
|
|
// CSPNonceKey is the context key for storing the CSP nonce
|
|
CSPNonceKey = "csp_nonce"
|
|
// NonceTemplate is the placeholder in CSP policy for nonce
|
|
NonceTemplate = "__CSP_NONCE__"
|
|
)
|
|
|
|
// GenerateNonce generates a cryptographically secure random nonce
|
|
func GenerateNonce() string {
|
|
b := make([]byte, 16)
|
|
_, _ = rand.Read(b)
|
|
return base64.StdEncoding.EncodeToString(b)
|
|
}
|
|
|
|
// GetNonceFromContext retrieves the CSP nonce from gin context
|
|
func GetNonceFromContext(c *gin.Context) string {
|
|
if nonce, exists := c.Get(CSPNonceKey); exists {
|
|
if s, ok := nonce.(string); ok {
|
|
return s
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// SecurityHeaders sets baseline security headers for all responses.
|
|
func SecurityHeaders(cfg config.CSPConfig) gin.HandlerFunc {
|
|
policy := strings.TrimSpace(cfg.Policy)
|
|
if policy == "" {
|
|
policy = config.DefaultCSPPolicy
|
|
}
|
|
|
|
return func(c *gin.Context) {
|
|
c.Header("X-Content-Type-Options", "nosniff")
|
|
c.Header("X-Frame-Options", "DENY")
|
|
c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
|
|
|
|
if cfg.Enabled {
|
|
// Generate nonce for this request
|
|
nonce := GenerateNonce()
|
|
c.Set(CSPNonceKey, nonce)
|
|
|
|
// Replace nonce placeholder in policy
|
|
finalPolicy := strings.ReplaceAll(policy, NonceTemplate, "'nonce-"+nonce+"'")
|
|
c.Header("Content-Security-Policy", finalPolicy)
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|