luci-plugin-csp: add configuration options for CSP

- ucode: add configured CSP HTTP headers - js: add dropdown to select CSP-mode and textbox to configure custom CSP policy Signed-off-by: Jostein Kjønigsen <jostein@kjonigsen.net>
2026-05-31 02:21:50 +08:00 · 2026-05-20 20:45:28 +02:00
parent cbcb9315b7
commit 58c7bc74a9
3 changed files with 84 additions and 0 deletions
@@ -0,0 +1,14 @@
 include $(TOPDIR)/rules.mk
 PKG_NAME:=luci-plugin-csp
 LUCI_TITLE:=LuCI CSP Plugin - Content-Security-Policy HTTP header
 LUCI_DEPENDS:=+luci-base +luci-mod-system
 LUCI_TYPE:=plugin
 PKG_LICENSE:=Apache-2.0
 include ../../luci.mk
 # call BuildPackage - OpenWrt buildroot signature
@@ -0,0 +1,41 @@
 'use strict';
 'require baseclass';
 'require form';
 return baseclass.extend({
 	class: 'http',
 	class_i18n: _('HTTP'),
 	type: 'headers',
 	type_i18n: _('Headers'),
 	name: 'Content-Security-Policy',
 	id: 'c0ffee2cf63e160c091224d95d69cdff',
 	title: _('Content Security Policy'),
 	description: _('Adds a Content-Security-Policy HTTP response header to protect against XSS and content injection attacks.'),
 	addFormOptions(s) {
 		let o;
 		o = s.option(form.Flag, 'enabled', _('Enabled'));
 		o = s.option(form.ListValue, 'mode', _('Mode'));
 		o.value('strict', _('Strict'));
 		o.value('permissive', _('Permissive'));
 		o.value('custom', _('Custom (experts only)'));
 		o.default = 'strict';
 		o.depends('enabled', '1');
 		o = s.option(form.Value, 'policy', _('Custom CSP Policy String'),
 			_('WARNING: Wrong values can render the web-UI inaccessible, requiring SSH to recover (/etc/config/luci_plugins).'));
 		o.default = "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'trusted-types-eval'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; connect-src 'self' https://sysupgrade.openwrt.org;";
 		o.depends({ enabled: '1', mode: 'custom' });
 	},
 	configSummary(section) {
 		if (section.enabled !== '1')
 			return _('Disabled');
 		return _('Mode: %s').format(section.mode || 'strict');
 	}
 });
@@ -0,0 +1,29 @@
 // SPDX-License-Identifier: Apache-2.0
 'use strict';
 import { cursor } from 'uci';
 function default_action(plugin_id) {
 	const uci = cursor();
 	const mode = uci.get('luci_plugins', plugin_id, 'mode') || 'strict';
 	const presets = {
 		'strict': "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'trusted-types-eval'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; connect-src 'self' https://sysupgrade.openwrt.org;",
 		'permissive': "default-src 'self' https://*; script-src 'self' 'unsafe-inline' 'unsafe-eval' 'trusted-types-eval'; img-src 'self' data: blob: https://*; style-src 'self' 'unsafe-inline' https://*;",
 	};
 	let policy;
 	if (mode === 'custom')
 		policy = uci.get('luci_plugins', plugin_id, 'policy');
 	else
 		policy = presets[mode];
 	if (!policy)
 		return null;
 	return ['Content-Security-Policy', policy];
 }
 return default_action;