Hardcoded main site in CSP

[akerl]

Hi!

I was doing some checking on my web services and noticed that GoatCounter hardcodes the CSP for the main goatcounter CDN as part of the codebase: https://github.com/arp242/goatcounter/blob/main/handlers/mw.go#L347

That CSP makes sense when somebody is using the CDN, but given I'm self-hosting the count.js file, is that necessary? Also, for the count file itself, I'm wondering if it needs to serve up any CSP allowances at all given that it's self-contained?

Happy to try to put up a PR to adjust the behavior if the above makes sense.

Thanks!

[arp242]

The rationale for putting it in there is that anyone can always use gc.zgo.at without mucking about. I'm not sure if anyone is actually doing that, or if it's actually useful in the first place? 🤔 But I don't think it really hurts, either?

[akerl]

I think maybe we're talking about different things?

If I understand correctly, the code I linked to is what the goatcounter server returns. So somebody who's pointing the <script> tag on their site at the CDN will never hit it: their request will be served by the CDN, which will return the JS file with the CSP configured there.

But for folks who are self-hosting, their server is returning that CSP for the count file, so my count file hosted at http://goat.akerl.app/count.js returns a CSP permitting script loads from the CDN server. It seems like the CSP that ought to be returned is just self, since the count file isn't loading any external scripts/styles at all.