debugBrowserHeaderHandler is a wrapper around BrowserHeaderHandler with a more relaxed Content-Security-Policy that's acceptable for internal debug pages. It should not be used on any public-facing handlers!
(h http.Handler)
| 182 | // more relaxed Content-Security-Policy that's acceptable for internal debug |
| 183 | // pages. It should not be used on any public-facing handlers! |
| 184 | func debugBrowserHeaderHandler(h http.Handler) http.Handler { |
| 185 | return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { |
| 186 | AddBrowserHeaders(w) |
| 187 | // The only difference from AddBrowserHeaders is that this policy |
| 188 | // allows inline CSS styles. They make debug pages much easier to |
| 189 | // prototype, while the risk of user-injected CSS is relatively low. |
| 190 | w.Header().Set("Content-Security-Policy", "default-src 'self'; frame-ancestors 'none'; form-action 'self'; base-uri 'self'; block-all-mixed-content; object-src 'none'; style-src 'self' 'unsafe-inline'") |
| 191 | h.ServeHTTP(w, r) |
| 192 | }) |
| 193 | } |
no test coverage detected
searching dependent graphs…