devtools/cmd/csphash: check for template expansion in scripts
Report any scripts that will change dynamically due to a template
expansion. CSP hashing can't support scripts like that, because the
contents and therefore the hash will change on each execution.
Change-Id: I975859a59c8f5d19bcd0ffc5dad1e5068a380587
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/240500
Reviewed-by: Julie Qiu <julie@golang.org>
diff --git a/devtools/cmd/csphash/main.go b/devtools/cmd/csphash/main.go
index d1fea80..f50bbfb 100644
--- a/devtools/cmd/csphash/main.go
+++ b/devtools/cmd/csphash/main.go
@@ -55,6 +55,12 @@
fmt.Printf("%s: has script with src attribute: %s\n", file, s.tag)
ok = false
}
+ if bytes.Contains(s.body, []byte("{{")) {
+ fmt.Printf("%s: has script with template expansion:\n%s\n", file, s.body)
+ fmt.Printf("Scripts must be static so they have a constant hash.\n")
+ ok = false
+ continue
+ }
hash := cspHash(s.body)
if !cspHashMap[hash] {
fmt.Printf("missing hash: add the lines below to %s:\n", *hashFile)