Created
January 27, 2023 02:00
-
-
Save ooola/056d79e2e87ec34bf26df8e6e14add89 to your computer and use it in GitHub Desktop.
Dual CSP - A small go program showing that a report-only CSP does not impact an enforced content security policy (CSP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"fmt" | |
"net/http" | |
) | |
func serve(w http.ResponseWriter, req *http.Request) { | |
page := ` | |
<!doctype html> | |
<html lang="en"> | |
<head> | |
<meta charset="utf-8"> | |
<title>blah</title> | |
</head> | |
<body> | |
<p>I'm the content</p> | |
<script nonce="0XGOOD"> | |
console.log("this script has a good CSP nonce"); | |
</script> | |
<script nonce="0XBAD"> | |
console.log("this script has a bad CSP nonce"); | |
</script> | |
<script nonce="0XREPORTGOOD"> | |
console.log("this script has a report good CSP report-only nonce"); | |
</script> | |
<script nonce="0XBAD"> | |
console.log("this script has a bad CSP report-only nonce"); | |
</script> | |
</body> | |
</html> | |
` | |
w.Header().Add("content-security-policy", "script-src 'strict-dynamic' 'nonce-0XGOOD'") | |
w.Header().Add("content-security-policy-report-only", "script-src 'strict-dynamic' 'nonce-0XREPORTGOOD'") | |
fmt.Fprintf(w, page) | |
} | |
func main() { | |
http.HandleFunc("/", serve) | |
http.ListenAndServe(":4321", nil) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment