Add config macro for disabling Content-Security-Policy

ToMe25 · Apr 4, 2024 · c61a636 · c61a636
1 parent 73caa92
commit c61a636
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 3 deletions.
diff --git a/src/config.h b/src/config.h
@@ -87,6 +87,7 @@ static const IPAddress SUBNET = IPAddress(255, 255, 255, 0);
 // Web Server options
 // Whether or not to enable the web server on the esp.
 // Set to 1 to enable and to 0 to disable.
+// Default is 1.
 #ifndef ENABLE_WEB_SERVER
 #define ENABLE_WEB_SERVER 1
 #endif
@@ -97,7 +98,9 @@ static constexpr uint16_t WEB_SERVER_PORT = 80;
 // The value for the Server header of all http responses sent by the webserver.
 // The hardware name may be added to the server header.
 // The default value is "ESP-WiFi-Thermometer".
+#ifndef SERVER_HEADER_PROGRAM
 #define SERVER_HEADER_PROGRAM "ESP-WiFi-Thermometer"
+#endif
 // Whether the hardware name in brackets should be added to the Server header.
 // Set to 1 to enable and 0 to disable.
 #define SERVER_HEADER_APPEND_HARDWARE 1
@@ -108,6 +111,13 @@ static constexpr uint16_t WEB_SERVER_PORT = 80;
 // The range of valid values is -8 to -15.
 // Default is -10.
 static constexpr int8_t GZIP_DECOMP_WINDOW_SIZE = -10;
+// Whether or not a Content-Security-Policy should be sent with html pages.
+// This prevents scripts from other sources from being loaded, but can make debugging and addons harder/less reliable.
+// Set to 0 to disable.
+// Default is 1.
+#ifndef ENABLE_CONTENT_SECURITY_POLICY
+#define ENABLE_CONTENT_SECURITY_POLICY 1
+#endif
 
 // Web server automatic config.
 #if SERVER_HEADER_APPEND_HARDWARE != 1

diff --git a/src/prometheus.cpp b/src/prometheus.cpp
@@ -9,7 +9,9 @@
  */
 
 #include "prometheus.h"
+#if ENABLE_DEEP_SLEEP_MODE == 1
 #include "main.h"
+#endif
 #include "sensor_handler.h"
 #include "generated/esptherm_version.h"
 #include <iomanip>

diff --git a/src/webhandler.cpp b/src/webhandler.cpp
@@ -422,9 +422,11 @@ web::ResponseData web::staticHandler(const uint16_t status_code,
 
 	response->setCode(code);
 
+#if ENABLE_CONTENT_SECURITY_POLICY == 1
 	if (strcmp(content_type.c_str(), "text/html") == 0) {
-		response->addHeader("Content-Security-Policy", "default-src 'self'");
+		response->addHeader("Content-Security-Policy", CSP_VALUE);
 	}
+#endif
 
 	if (etag_str != NULL) {
 		response->addHeader("ETag", etag_str);
@@ -500,9 +502,11 @@ web::ResponseData web::compressedStaticHandler(const uint16_t status_code,
 	response->setCode(code);
 	response->addHeader("Vary", "Accept-Encoding");
 
+#if ENABLE_CONTENT_SECURITY_POLICY == 1
 	if (strcmp(content_type.c_str(), "text/html") == 0) {
-		response->addHeader("Content-Security-Policy", "default-src 'self'");
+		response->addHeader("Content-Security-Policy", CSP_VALUE);
 	}
+#endif
 
 	if (enc_etag != NULL) {
 		response->addHeader("ETag", enc_etag);
@@ -562,9 +566,13 @@ web::ResponseData web::replacingRequestHandler(
 			std::bind(replacingResponseFiller, replacements, offset, start, end,
 					_1, _2, _3));
 	response->setCode(status_code);
+
+#if ENABLE_CONTENT_SECURITY_POLICY == 1
 	if (!strcmp(content_type.c_str(), "text/html")) {
-		response->addHeader("Content-Security-Policy", "default-src 'self'");
+		response->addHeader("Content-Security-Policy", CSP_VALUE);
 	}
+#endif
+
 	response->addHeader("Cache-Control", CACHE_CONTROL_NOCACHE);
 	return ResponseData(response, content_length, status_code);
 }

diff --git a/src/webhandler.h b/src/webhandler.h
@@ -166,6 +166,13 @@ static constexpr char CACHE_CONTROL_NOCACHE[] = "no-store";
  */
 static constexpr char CACHE_CONTROL_CACHE[] = "public, no-cache";
 
+#if ENABLE_CONTENT_SECURITY_POLICY == 1
+/**
+ * The Content-Security-Policy to send with html responses.
+ */
+static constexpr char CSP_VALUE[] = "default-src 'self'";
+#endif
+
 /**
  * The character to use as a template delimiter.
  */