commit | 1940919ec221055f2596eb5d67c85ade0ed2ccde | [log] [tgz] |
---|---|---|
author | Jonathan Amsterdam <jba@google.com> | Wed Jun 24 16:11:07 2020 -0400 |
committer | Jonathan Amsterdam <jba@google.com> | Mon Jun 29 21:25:26 2020 +0000 |
tree | 1113adbcaf58bd2fdac5c1fa64613f47536ba69d | |
parent | a26944168487b0f75158a4cc20e81f5979978fd9 [diff] |
many: change CSP to use hashes instead of nonces Change our content security policy (CSP) for scripts. Instead of using a nonce, which lends itself poorly to caching, use hashes. See https://csp.withgoogle.com/docs/faq.html, search for "CSP hashes". To make hashes work, the hash of every inline script must appear in our Content-Security-Policy header. Also, not all browsers support hashing with scripts loaded from files, so we must dynamically load the files by using an inline script that builds a script tag with a src attribute. (We need to do this anyway for the Google Tag Manager script.) See the link above for a description of the technique. It works because the CSP header mentions 'strict-dynamic', which trusts everything loaded from a trusted script. Ideally, we would both generate all these hashes automatically, and check that they are all correct. This CL doesn't do that. A followup CL will. List of changes: - Replace script tags with scr attributes with inline scripts that load from the files. - In internal/middleware/secureheaders.go, add the list of script hashes to the CSP header. - Remove all references to nonces. Updates b/159711607. Change-Id: Ia9b78ecd85e24619e758f2580a370778708b9e71 Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/239897 Reviewed-by: Roberto Clapis <robclap8@gmail.com> Reviewed-by: Julie Qiu <julie@golang.org>
Pkg.go.dev is a website for discovering and evaluating Go packages and modules.
You can check it out at https://pkg.go.dev.
Pkg.go.dev launched in November 2019, and is currently under active development by the Go team.
Here's what we are currently working on:
Design updates: We have some design changes planned for pkg.go.dev, to address UX feedback that we have received. You can expect a more cohesive search and navigation experience coming soon. We plan to share these designs for feedback once they are ready.
Godoc.org redirect: Longer term, we are working towards redirecting godoc.org traffic to pkg.go.dev. We know that there are features available on godoc.org that users want to see on pkg.go.dev, and we want to ensure that we address these. We’ve been keeping track of issues related to redirecting godoc.org traffic on Go issue #39144. These issues will be prioritized in the next few months. We also plan to continue improving our license detection algorithm.
Search improvements: We’ll be improving our search experience based on feedback in Go issue #37810, to make it easier for users to find the dependencies they are looking for and make better decisions around which ones to import.
We encourage everyone to begin using pkg.go.dev today for all of their needs and to file feedback! You can redirect all of your requests from godoc.org to pkg.go.dev, by clicking Always use pkg.go.dev
at the top of any page on godoc.org.
If you want to report a bug or have a feature suggestion, please first check the known issues to see if your issue is already being discussed. If an issue does not already exist, feel free to file an issue.
For answers to frequently asked questions, see go.dev.
You can also chat with us on the #tools slack channel on the Gophers slack.
We would love your help!
Our canonical Git repository is located at go.googlesource.com/pkgsite. There is a mirror of the repository at github.com/golang/pkgsite.
To contribute, please read our contributing guide.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.