feat(csp): auto-inject purchase_subscription_url origin into frame-src#702
Closed
touwaeriol wants to merge 2 commits intoWei-Shaw:mainfrom
Closed
feat(csp): auto-inject purchase_subscription_url origin into frame-src#702touwaeriol wants to merge 2 commits intoWei-Shaw:mainfrom
touwaeriol wants to merge 2 commits intoWei-Shaw:mainfrom
Conversation
Contributor
Author
|
Superseded by #727, which extends this PR's CSP frame-src logic to also support custom menu pages with multi-origin deduplication. Closing in favor of the more complete PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
背景 / Background
当管理员配置了「购买订阅」页面 URL(
purchase_subscription_url)后,该 URL 所在域名需要出现在 CSP 的frame-src指令中,否则浏览器会拒绝加载 iframe。以往只能手动在配置文件的SECURITY_CSP_POLICY里写死域名,每次更换 URL 都需要改配置并重启服务。When an admin configures a
purchase_subscription_url, its origin must be present in the CSPframe-srcdirective, or the browser will block the iframe. Previously, the domain had to be hard-coded inSECURITY_CSP_POLICY, requiring a config change and service restart whenever the URL changed.目的 / Purpose
让系统自动从
purchase_subscription_url提取 origin 并注入到frame-src,管理员修改 URL 后下一次请求即刻生效,无需重启。Automatically extract the origin from
purchase_subscription_urland inject it intoframe-src. Changes take effect on the next request after the admin saves settings — no restart required.改动内容 / Changes
后端 / Backend
SecurityHeaders新增参数:增加可选的getFrameSrc func() string参数;每次请求时调用一次,若返回非空 origin 则用已有的addToDirective注入到frame-src;传nil时行为与原来完全一致router.go动态缓存:SetupRouter内用atomic.Pointer[string]缓存支付域名 origin;启动时读一次 settings 初始化,通过SetOnUpdateCallback在 settings 变更时即时刷新;每次请求只做一次atomic.Load(纯内存,纳秒级)router.go新增extractOrigin:从原始 URL 中提取scheme://host,解析失败或空 host 时返回""nil跳过、空字符串跳过场景;所有原有测试调用更新为传nilSecurityHeadersnew parameter: adds optionalgetFrameSrc func() string; called once per request, injects the returned origin intoframe-srcvia the existingaddToDirective; passingnilpreserves existing behavior exactlyrouter.godynamic cache:SetupRouterusesatomic.Pointer[string]to cache the payment origin; initialized at startup and refreshed viaSetOnUpdateCallbackon every settings change; each request does oneatomic.Load(in-memory, nanosecond cost)router.gonewextractOrigin: extractsscheme://hostfrom a raw URL, returning""on parse error or empty hostnilskip, and empty-string skip; all existing call sites updated to passnil效果 / Behavior
purchase_subscription_urlframe-src不变 / unchangedframe-src自动追加 origin / origin auto-appendedatomic.Load(纳秒级)/ oneatomic.Load(nanosecond)