config:serve: add 'disable-csp' + 'csp' attributes

Signed-off-by: Enrico Scholz <[email protected]>
trunk-rs · Jan 6, 2025 · fd0a2a7 · fd0a2a7
1 parent 889ba75
commit fd0a2a7
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 0 deletions.
diff --git a/schemas/config.json b/schemas/config.json
@@ -490,11 +490,27 @@
             "type": "string"
           }
         },
+        "csp": {
+          "description": "The CSP;  {{NONE}} is replaced by a random nonce",
+          "default": [
+            "script-src 'wasm-unsafe-eval' 'nonce-{{NONCE}}'",
+            "style-src 'nonce-{{NONCE}}'"
+          ],
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "disable_address_lookup": {
           "description": "Disable the reverse DNS lookup during startup",
           "default": false,
           "type": "boolean"
         },
+        "disable_csp": {
+          "description": "Disable CSP header",
+          "default": false,
+          "type": "boolean"
+        },
         "headers": {
           "description": "Additional headers to send in responses",
           "default": {},

diff --git a/src/cmd/serve.rs b/src/cmd/serve.rs
@@ -65,6 +65,10 @@ pub struct Serve {
     /// A base path to serve the application from [default: <public-url>]
     #[arg(long, env = "TRUNK_SERVE_SERVE_BASE")]
     pub serve_base: Option<String>,
+    /// Disable Content-Security-Policy [default: false]
+    #[arg(long)]
+    #[arg(default_missing_value="false", num_args=0..=1)]
+    pub disable_csp: Option<bool>,
 
     // NOTE: flattened structures come last
     #[command(flatten)]
@@ -134,6 +138,7 @@ impl Serve {
             tls_cert_path,
             serve_base,
             watch,
+            disable_csp,
         } = self;
 
         // apply overrides
@@ -158,6 +163,7 @@ impl Serve {
 
         config.serve.ws_protocol = ws_protocol.or(config.serve.ws_protocol);
         config.serve.ws_base = ws_base.or(config.serve.ws_base);
+        config.serve.disable_csp = disable_csp.unwrap_or(config.serve.disable_csp);
 
         if let Some(backend) = proxy_backend {
             // we have a single proxy from the command line

diff --git a/src/config/models/serve.rs b/src/config/models/serve.rs
@@ -82,6 +82,12 @@ pub struct Serve {
     #[serde(default)]
     #[deprecated]
     pub proxy_no_system_proxy: Option<bool>,
+    /// Disable CSP header
+    #[serde(default)]
+    pub disable_csp: bool,
+    /// The CSP;  {{NONE}} is replaced by a random nonce
+    #[serde(default = "default::csp")]
+    pub csp: Vec<String>,
 }
 
 impl Default for Serve {
@@ -110,6 +116,8 @@ impl Default for Serve {
             proxy_insecure: None,
             proxy_no_system_proxy: None,
             proxy_no_redirect: None,
+            disable_csp: false,
+            csp: default::csp(),
         }
     }
 }
@@ -118,6 +126,15 @@ mod default {
     pub const fn port() -> u16 {
         8080
     }
+
+    pub fn csp() -> Vec<String> {
+        [
+            "script-src 'wasm-unsafe-eval' 'nonce-{{NONCE}}'",
+            "style-src 'nonce-{{NONCE}}'",
+        ]
+        .map(|s| s.to_string())
+        .into()
+    }
 }
 
 macro_rules! check_proxy_setting {

diff --git a/src/config/rt/serve.rs b/src/config/rt/serve.rs
@@ -48,6 +48,8 @@ pub struct RtcServe {
     pub tls: Option<TlsConfig>,
     /// A base path to serve the application from
     pub serve_base: Option<String>,
+    /// Disable Content-Security-Policy
+    pub csp: Option<Vec<String>>,
 }
 
 impl Deref for RtcServe {
@@ -100,6 +102,8 @@ impl RtcServe {
             proxy_insecure: _,
             proxy_no_system_proxy: _,
             proxy_no_redirect: _,
+            disable_csp,
+            csp,
         } = config.serve;
 
         let tls = tls_config(
@@ -122,6 +126,7 @@ impl RtcServe {
             ws_base,
             tls,
             serve_base,
+            csp: (!disable_csp).then_some(csp),
         })
     }