diff options
| author | Martin Fischer <martin@push-f.com> | 2021-06-24 21:07:45 +0200 |
|---|---|---|
| committer | Martin Fischer <martin@push-f.com> | 2021-06-24 23:14:15 +0200 |
| commit | d43543440e5d3f0e93ed1cf197601d778541c3ae (patch) | |
| tree | d966b40936d7ef8cb559e2b556d3b9e01a5f824b /src/main.rs | |
| parent | b019d39957bd644d9b6b856738b57eb87e0506de (diff) | |
generate <script> tags and CSP from Page vectors
Diffstat (limited to 'src/main.rs')
| -rw-r--r-- | src/main.rs | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/src/main.rs b/src/main.rs index 5c9f10c..4d0c1b3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -214,14 +214,21 @@ async fn service<C: Controller>( ) -> Result<HyperResponse, Infallible> { let (mut parts, body) = request.into_parts(); + let mut script_csp = "'none'".into(); + let mut resp = build_response(args, &*controller, &mut parts, body) .await .map(|resp| match resp { Response::Raw(resp) => resp, - Response::Page(page) => Builder::new() - .content_type(mime::TEXT_HTML) - .body(render_page(&page, &*controller, &parts).into()) - .unwrap(), + Response::Page(page) => { + if !page.script_src.is_empty() { + script_csp = page.script_src.join(" "); + } + Builder::new() + .content_type(mime::TEXT_HTML) + .body(render_page(&page, &*controller, &parts).into()) + .unwrap() + } }) .unwrap_or_else(|err| { let (status, message) = match err { @@ -257,9 +264,9 @@ async fn service<C: Controller>( resp.headers_mut().insert( header::CONTENT_SECURITY_POLICY, format!( - "default-src 'self'; frame-src 'none'; script-src 'sha256-{}'; style-src 'sha256-{}'", - include_str!("static/edit_script.js.sha256"), - include_str!("static/style.css.sha256"), + "default-src 'self'; frame-src 'none'; script-src {}; style-src {}", + script_csp, + include_str!("static/style.css.sha"), ) .parse() .unwrap(), @@ -267,10 +274,15 @@ async fn service<C: Controller>( Ok(resp) } +#[derive(Default)] pub struct Page { title: String, header: Option<String>, body: String, + /// will be embedded as inline <script> tags + scripts: Vec<&'static str>, + /// for the Content Security Policy + script_src: Vec<&'static str>, } fn render_page<C: Controller>(page: &Page, controller: &C, parts: &Parts) -> String { @@ -289,6 +301,9 @@ fn render_page<C: Controller>(page: &Page, controller: &C, parts: &Parts) -> Str ); out.push_str("</header>"); out.push_str(&page.body); + for script in &page.scripts { + out.push_str(&format!("<script>{}</script>", script)); + } out.push_str("</body></html>"); out } |