search

kindspells / astro-shield

Astro integration to enhance your website's security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques.
https://astro-shield.kindspells.dev
MIT License
57 stars 6 forks source link

(Netlify) CSP headers are generated for full path (including .html), but not for paths ending on `/` #107

Closed castarco closed 2 months ago

castarco commented 2 months ago

It seems that, for some reason, the CSP headers are not "attached" to paths ending in /, only to paths that include the full file name.

An example of a _headers configuration file generated by Astro-Shield, which includes the paths ending in / (it seems that doesn't work well 😢 ):

# The config for `/` does not work well
/
    content-security-policy: script-src 'self' 'sha256-2WuRaoBDyP6+xwvZy812CbGbnJEtRyaQ+TISjVXfIkw='; style-src 'self' 'sha256-ZlgyI5Bx/aeAyk/wSIypqeIM5PBhz9IiAek9HIiAjaI='

# The config for `/es/` does not work well
/es/
    content-security-policy: script-src 'self' 'sha256-tvf9zEN6xy3u/Aa9a9YzhAYtoMNT38Tkyx0bW1Z/UKk='; style-src 'self' 'sha256-J4U/wAKuxeFWuwWSV8kSYyq/CEW+Jvs2FCK8E2Palh8='

# The config for `/es/index.html` works as expected
/es/index.html
    content-security-policy: script-src 'self' 'sha256-tvf9zEN6xy3u/Aa9a9YzhAYtoMNT38Tkyx0bW1Z/UKk='; style-src 'self' 'sha256-J4U/wAKuxeFWuwWSV8kSYyq/CEW+Jvs2FCK8E2Palh8='

# The config for `/index.html` works as expected
/index.html
    content-security-policy: script-src 'self' 'sha256-2WuRaoBDyP6+xwvZy812CbGbnJEtRyaQ+TISjVXfIkw='; style-src 'self' 'sha256-ZlgyI5Bx/aeAyk/wSIypqeIM5PBhz9IiAek9HIiAjaI='

Related to #65 .

castarco commented 2 months ago

I'll have to confirm that this is really a bug... it might be that I didn't see the headers because the content was cached (and the content retrieved again).