Skip to content

feat: add configurable Content Security Policy (CSP) support #517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 11, 2025
Merged

feat: add configurable Content Security Policy (CSP) support #517

merged 6 commits into from
Jun 11, 2025

Conversation

davidgasquez
Copy link
Contributor

Changes

  • Add configurable Content Security Policy (CSP) support with --csp CLI flag
  • Support three CSP modes: "off" (no CSP), "self" (strict), and "inline" (default with inline scripts/styles)
  • Maintain backward compatibility with "inline" as the default setting

Claude Code Prompt

Update the `cuhttp` server to add support for the following CSP options in the CLI:

- `--csp=off`
- `--csp=self`
- `--csp=inline`

The default option should be inline. Commit changes once you're done.

@davidgasquez @claude
feat: add configurable Content Security Policy (CSP) support
24cf38b 
- Add --csp CLI flag with options: "off", "self", "inline" (default)
- Configure CSP headers in HTTP server based on setting
- Allow disabling CSP or using strict "self" policy
- Default "inline" setting maintains backward compatibility

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
rvagg
rvagg reviewed Jun 4, 2025
View reviewed changes
rvagg
rvagg reviewed Jun 4, 2025
View reviewed changes
rvagg
rvagg reviewed Jun 4, 2025
View reviewed changes
davidgasquez and others added 2 commits June 4, 2025 11:20
@davidgasquez @rvagg
Update deps/deps.go
176cdcb 
Co-authored-by: Rod Vagg <[email protected]>
@davidgasquez @rvagg
Update cuhttp/server.go
e5911ee 
Co-authored-by: Rod Vagg <[email protected]>
LexLuthr
LexLuthr requested changes Jun 4, 2025
View reviewed changes
Copy link
Contributor

@LexLuthr LexLuthr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should not be a flag. It must go in config. Also config comment should mention the issues/dangers of enabling this.

davidgasquez
davidgasquez commented Jun 4, 2025
View reviewed changes
@momack2
Copy link

momack2 commented Jun 5, 2025

cc @patrickwoodhead re Spark FilCDN

@davidgasquez
Copy link
Contributor Author

Hey folks! Anything I can help to move this along?

rvagg
rvagg reviewed Jun 10, 2025
View reviewed changes
rvagg
rvagg approved these changes Jun 10, 2025
View reviewed changes
Copy link
Member

@rvagg rvagg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

with doc changes to make it less alarmist

@LexLuthr
Copy link
Contributor

I like the changes from Rod. Can we run make gen to fix the failing tests?
First accept the changes and then make gen locally. Then push the updates.

Please ensure to check the output of make gen for any errors. It does require certain binaries to complete and might complaint about missing ones.

@davidgasquez
Copy link
Contributor Author

I've accepted @rvagg changes but struggling now to run make gen. Was able to install go and some of the deps like cbor-gen-for, but am having a hard time with Filecoin FFI (giving me errors related with my OpenCL headers/GPU).

Any chances the codegen can be run in CI? Are there containers I can use instead?

@LexLuthr
Copy link
Contributor

OpenCL should not cause issue with FFI as it is supported. Try below:

  1. git submodule update --all --init
  2. cd extern/filecoin-ffi
  3. make build (remove all FFI related vars from ENV files) - This should use pre-built FFI from github
  4. cd ../../
  5. make gen

Make gen cannot be fixed in CI.

@davidgasquez
Copy link
Contributor Author

Great! I think that did it! Thanks @LexLuthr. Just pushed the generated files.

`make gen` logs 
❯ export PATH=$PATH:~/go/bin && make gen
go run ./api/gen/api/proxygen.go
FixImports will run only from the 'make gen' target
go generate ./...
Generating Cbor Marshal/Unmarshal...Done.

cannot open /home/david/.cache/go-build/b6/b6080f82c4c6200f73330b7ee06281f8ec545ea296aa5d93740fb42bfd9e4acf-d/main/out.gotext.json: open /home/david/.cache/go-build/b6/b6080f82c4c6200f73330b7ee06281f8ec545ea296aa5d93740fb42bfd9e4acf-d/main/out.gotext.json: not a directory
rearranged successfully
rearranged successfully
Generating Cbor Marshal/Unmarshal...Done.

Generating Cbor Marshal/Unmarshal...Done.

go run ./deps/config/cfgdocgen > ./deps/config/doc_gen.go
go build  -o docgen-md ./scripts/docgen/cmd
FixImports will run only from the 'make gen' target
echo '---' > documentation/en/api.md
echo 'description: Curio API references' >> documentation/en/api.md
echo '---' >> documentation/en/api.md
echo '' >> documentation/en/api.md
echo '# API' >> documentation/en/api.md
echo '' >> documentation/en/api.md
./docgen-md "api/api_curio.go" "Curio" "api" "./api" >> documentation/en/api.md
FixImports will run only from the 'make gen' target
FixImports will run only from the 'make gen' target
go build  -o docgen-openrpc ./api/docgen-openrpc/cmd
./docgen-openrpc "api/api_curio.go" "Curio" "api" "./api" > build/openrpc/curio.json
FixImports will run only from the 'make gen' target
FixImports will run only from the 'make gen' target
rm -f curio
GOAMD64=v3 CGO_LDFLAGS_ALLOW= go build  \
-tags "cunative" \
-o curio -ldflags " -s -w \
-X github.com/filecoin-project/curio/build.IsOpencl= \
-X github.com/filecoin-project/curio/build.CurrentCommit=+git_`git log -1 --format=%h_%cI`" \
./cmd/curio
rm -f sptool
go build  -tags "cunative" -o sptool ./cmd/sptool
python3 ./scripts/generate-cli.py
> ./curio
> ./curio cli
> ./curio cli info
> ./curio cli storage
> ./curio cli storage attach
> ./curio cli storage detach
> ./curio cli storage list
> ./curio cli storage find
> ./curio cli storage generate-vanilla-proof
> ./curio cli storage redeclare
> ./curio cli log
> ./curio cli log list
> ./curio cli log set-level
> ./curio cli wait-api
> ./curio cli stop
> ./curio cli cordon
> ./curio cli uncordon
> ./curio cli index-sample
> ./curio run
> ./curio config
> ./curio config default
> ./curio config set
> ./curio config get
> ./curio config list
> ./curio config interpret
> ./curio config remove
> ./curio config edit
> ./curio config new-cluster
> ./curio test
> ./curio test window-post
> ./curio test window-post here
> ./curio test window-post task
> ./curio test debug
> ./curio test debug ipni-piece-chunks
> ./curio web
> ./curio guided-setup
> ./curio seal
> ./curio seal start
> ./curio seal events
> ./curio unseal
> ./curio unseal info
> ./curio unseal list-sectors
> ./curio unseal set-target-state
> ./curio unseal check
> ./curio market
> ./curio market seal
> ./curio market add-url
> ./curio market move-to-escrow
> ./curio market ddo
> ./curio fetch-params
> ./curio calc
> ./curio calc batch-cpu
> ./curio calc supraseal-config
> ./curio toolbox
> ./curio toolbox fix-msg
> ./sptool
> ./sptool actor
> ./sptool actor set-addresses
> ./sptool actor withdraw
> ./sptool actor repay-debt
> ./sptool actor set-peer-id
> ./sptool actor set-owner
> ./sptool actor control
> ./sptool actor control list
> ./sptool actor control set
> ./sptool actor propose-change-worker
> ./sptool actor confirm-change-worker
> ./sptool actor compact-allocated
> ./sptool actor propose-change-beneficiary
> ./sptool actor confirm-change-beneficiary
> ./sptool actor new-miner
> ./sptool info
> ./sptool sectors
> ./sptool sectors status
> ./sptool sectors list
> ./sptool sectors precommits
> ./sptool sectors check-expire
> ./sptool sectors expired
> ./sptool sectors extend
> ./sptool sectors terminate
> ./sptool sectors compact-partitions
> ./sptool proving
> ./sptool proving info
> ./sptool proving deadlines
> ./sptool proving deadline
> ./sptool proving faults
> ./sptool toolbox
> ./sptool toolbox spark
> ./sptool toolbox spark delete-peer
> ./sptool toolbox mk12-client
> ./sptool toolbox mk12-client init
> ./sptool toolbox mk12-client deal
> ./sptool toolbox mk12-client deal-status
> ./sptool toolbox mk12-client offline-deal
> ./sptool toolbox mk12-client allocate
> ./sptool toolbox mk12-client list-allocations
> ./sptool toolbox mk12-client market-add
> ./sptool toolbox mk12-client market-withdraw
> ./sptool toolbox mk12-client commp
> ./sptool toolbox mk12-client generate-rand-car
> ./sptool toolbox mk12-client wallet
> ./sptool toolbox mk12-client wallet new
> ./sptool toolbox mk12-client wallet list
> ./sptool toolbox mk12-client wallet balance
> ./sptool toolbox mk12-client wallet export
> ./sptool toolbox mk12-client wallet import
> ./sptool toolbox mk12-client wallet default
> ./sptool toolbox mk12-client wallet set-default
> ./sptool toolbox mk12-client wallet delete
> ./sptool toolbox mk12-client wallet sign
echo '---' > documentation/en/configuration/default-curio-configuration.md
echo 'description: The default curio configuration' >> documentation/en/configuration/default-curio-configuration.md
echo '---' >> documentation/en/configuration/default-curio-configuration.md
echo '' >> documentation/en/configuration/default-curio-configuration.md
echo '# Default Curio Configuration' >> documentation/en/configuration/default-curio-configuration.md
echo '' >> documentation/en/configuration/default-curio-configuration.md
echo '```toml' >> documentation/en/configuration/default-curio-configuration.md
./curio config default >> documentation/en/configuration/default-curio-configuration.md
echo '```' >> documentation/en/configuration/default-curio-configuration.md
go run ./scripts/fiximports
go mod tidy
go: downloading github.com/magefile/mage v1.9.0
go: downloading github.com/Microsoft/go-winio v0.6.2
go: downloading github.com/GeertJohan/go.rice v1.0.3
go: downloading github.com/whyrusleeping/bencher v0.0.0-20190829221104-bb6607aa8bba
go: downloading go.uber.org/mock v0.5.0
go: downloading github.com/tidwall/gjson v1.14.4
go: downloading github.com/xorcare/golden v0.6.1-0.20191112154924-b87f686d7542
go: downloading github.com/google/gofuzz v1.2.0
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/cockroachdb/cockroach-go/v2 v2.2.0
go: downloading github.com/jackc/pgx/v5 v5.6.0
go: downloading github.com/google/brotli/go/cbrotli v0.0.0-20230829110029-ed738e842d2f
go: downloading github.com/valyala/gozstd v1.20.1
go: downloading github.com/chengxilo/virtualterm v1.0.4
go: downloading github.com/smartystreets/goconvey v1.7.2
go: downloading github.com/ipld/go-ipld-prime/storage/bsadapter v0.0.0-20230102063945-1a409dc236dd
go: downloading go.uber.org/goleak v1.3.0
go: downloading github.com/leanovate/gopter v0.2.9
go: downloading github.com/ipfs/go-ipfs-blocksutil v0.0.1
go: downloading github.com/icza/mighty v0.0.0-20180919140131-cfd07d671de6
go: downloading github.com/warpfork/go-wish v0.0.0-20220906213052-39a1cc7a02d0
go: downloading github.com/libp2p/go-libp2p-testing v0.12.0
go: downloading github.com/ipfs/go-test v0.0.4
go: downloading github.com/frankban/quicktest v1.14.6
go: downloading github.com/ipfs/go-detect-race v0.0.1
go: downloading github.com/kylelemons/godebug v1.1.0
go: downloading github.com/pierrec/lz4/v4 v4.1.21
go: downloading github.com/chzyer/test v1.0.0
go: downloading github.com/stretchr/objx v0.5.2
go: downloading github.com/ipld/go-fixtureplate v0.0.3
go: downloading github.com/ipld/ipld/specs v0.0.0-20231012031213-54d3b21deda4
go: downloading github.com/gofrs/flock v0.8.1
go: downloading github.com/rs/cors v1.7.0
go: downloading github.com/elastic/go-windows v1.0.0
go: downloading gotest.tools v2.2.0+incompatible
go: downloading github.com/decred/dcrd/crypto/blake256 v1.0.1
go: downloading github.com/warpfork/go-testmark v0.12.1
go: downloading github.com/ipfs/go-ipfs-chunker v0.0.5
go: downloading golang.org/x/time v0.11.0
go: downloading github.com/ethereum/c-kzg-4844 v1.0.0
go: downloading github.com/kr/pretty v0.3.1
go: downloading github.com/olekukonko/tablewriter v0.0.5
go: downloading github.com/onsi/ginkgo v1.16.5
go: downloading github.com/onsi/gomega v1.36.2
go: downloading github.com/cespare/cp v0.1.0
go: downloading github.com/hashicorp/go-hclog v1.6.3
go: downloading github.com/alecthomas/units v0.0.0-20231202071711-9a357b53e9c9
go: downloading github.com/jbenet/go-random v0.0.0-20190219211222-123a90aedc0c
go: downloading github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932
go: downloading github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869
go: downloading github.com/filecoin-project/go-data-transfer/v2 v2.0.0-rc7
go: downloading github.com/filecoin-project/go-retrieval-types v1.2.0
go: downloading github.com/VictoriaMetrics/fastcache v1.12.2
go: downloading github.com/holiman/bloomfilter/v2 v2.0.3
go: downloading github.com/holiman/billy v0.0.0-20240216141850-2abb0c79d3c4
go: downloading github.com/StackExchange/wmi v1.2.1
go: downloading github.com/cockroachdb/pebble v1.1.2
go: downloading github.com/hashicorp/go-bexpr v0.1.10
go: downloading gopkg.in/natefinch/lumberjack.v2 v2.2.1
go: downloading github.com/chzyer/logex v1.2.1
go: downloading github.com/ipfs/go-ipfs-exchange-offline v0.3.0
go: downloading github.com/zeebo/assert v1.3.0
go: downloading github.com/btcsuite/btcd/btcec/v2 v2.3.4
go: downloading github.com/ipsn/go-secp256k1 v0.0.0-20180726113642-9d62b9f0bc52
go: downloading github.com/btcsuite/btcd v0.0.0-20190605094302-a0d1e3e36d50
go: downloading github.com/jonboulle/clockwork v0.5.0
go: downloading github.com/hashicorp/consul/sdk v0.16.1
go: downloading github.com/onsi/ginkgo/v2 v2.22.2
go: downloading github.com/ipfs/go-unixfs v0.4.5
go: downloading github.com/GeertJohan/go.incremental v1.0.0
go: downloading github.com/akavel/rsrc v0.8.0
go: downloading github.com/daaku/go.zipexe v1.0.2
go: downloading github.com/jessevdk/go-flags v1.4.0
go: downloading github.com/nkovacs/streamquote v1.0.0
go: downloading github.com/valyala/fasttemplate v1.0.1
go: downloading github.com/mikioh/tcp v0.0.0-20190314235350-803a9b46060c
go: downloading github.com/tidwall/match v1.0.1
go: downloading github.com/tidwall/pretty v1.0.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.13.1
go: downloading github.com/lib/pq v1.10.9
go: downloading github.com/OneOfOne/xxhash v1.2.2
go: downloading github.com/gammazero/channelqueue v0.2.2
go: downloading github.com/ipfs/go-bitswap v0.11.0
go: downloading github.com/ipfs/go-ipfs-routing v0.3.0
go: downloading github.com/go-ole/go-ole v1.3.0
go: downloading github.com/jmoiron/sqlx v1.4.0
go: downloading go.dedis.ch/protobuf v1.0.11
go: downloading github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
go: downloading github.com/mitchellh/pointerstructure v1.2.0
go: downloading github.com/jtolds/gls v4.20.0+incompatible
go: downloading github.com/smartystreets/assertions v1.13.0
go: downloading github.com/nxadm/tail v1.4.11
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0
go: downloading github.com/ardanlabs/darwin/v2 v2.0.0
go: downloading github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
go: downloading go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.59.0
go: downloading github.com/cockroachdb/errors v1.11.3
go: downloading github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce
go: downloading github.com/cockroachdb/redact v1.1.5
go: downloading github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06
go: downloading github.com/cloudflare/circl v1.3.9
go: downloading go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0
go: downloading github.com/go-task/slim-sprig/v3 v3.0.0
go: downloading github.com/bep/debounce v1.2.1
go: downloading github.com/filecoin-project/go-ds-versioning v0.1.2
go: downloading github.com/valyala/bytebufferpool v1.0.0
go: downloading github.com/gopherjs/gopherjs v1.17.2
go: downloading gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7
go: downloading go.opentelemetry.io/proto/otlp v1.5.0
go: downloading github.com/DataDog/zstd v1.4.5
go: downloading go.etcd.io/bbolt v1.3.11
go: downloading github.com/google/pprof v0.0.0-20250208200701-d0013a598941
go: downloading github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b
go: downloading github.com/getsentry/sentry-go v0.27.0
go: downloading github.com/gammazero/deque v0.2.1
go: downloading github.com/mitchellh/mapstructure v1.5.0
go: downloading github.com/cenkalti/backoff/v4 v4.3.0
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1
go: downloading github.com/grpc-ecosystem/grpc-gateway v1.5.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20250212204824-5a70512c5d8b
go: downloading github.com/supranational/blst v0.3.13
go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1

@davidgasquez
Copy link
Contributor Author

Nice, CI seems to be happy! 💃

@LexLuthr LexLuthr merged commit 1941972 into filecoin-project:main Jun 11, 2025
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rvagg rvagg rvagg approved these changes

@LexLuthr LexLuthr LexLuthr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@davidgasquez @momack2 @LexLuthr @rvagg