[bugfix] CSP policy fixes for S3/object storage (#2104)

* [bugfix] CSP policy fixes for S3 in non-proxied mode

* It should be img-src
* In both img-src and media-src we still need to include 'self'

internal/middleware/extraheaders.go

@@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string {
 	// Construct endpoint URL.
 	s3EndpointURLStr := scheme + "://" + s3Endpoint
 
+	// When object storage is in use in non-proxied mode, GtS still serves some
+	// assets itself like the logo, so keep 'self' in there. That should also
+	// handle any redirects from the fileserver to object storage.
+
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
-	policy += "; image-src " + s3EndpointURLStr
+	policy += "; img-src 'self' " + s3EndpointURLStr
 
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
-	policy += "; media-src " + s3EndpointURLStr
+	policy += "; media-src 'self' " + s3EndpointURLStr
 
 	return policy
 }

internal/middleware/middleware_test.go

@@ -44,25 +44,25 @@ func TestBuildContentSecurityPolicy(t *testing.T) {
 			s3Endpoint: "some-bucket-provider.com",
 			s3Proxy:    false,
 			s3Secure:   true,
-			expected:   "default-src 'self'; image-src https://some-bucket-provider.com; media-src https://some-bucket-provider.com",
+			expected:   "default-src 'self'; img-src 'self' https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com:6969",
 			s3Proxy:    false,
 			s3Secure:   true,
-			expected:   "default-src 'self'; image-src https://some-bucket-provider.com:6969; media-src https://some-bucket-provider.com:6969",
+			expected:   "default-src 'self'; img-src 'self' https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com:6969",
 			s3Proxy:    false,
 			s3Secure:   false,
-			expected:   "default-src 'self'; image-src http://some-bucket-provider.com:6969; media-src http://some-bucket-provider.com:6969",
+			expected:   "default-src 'self'; img-src 'self' http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
 		},
 		{
 			s3Endpoint: "s3.nl-ams.scw.cloud",
 			s3Proxy:    false,
 			s3Secure:   true,
-			expected:   "default-src 'self'; image-src https://s3.nl-ams.scw.cloud; media-src https://s3.nl-ams.scw.cloud",
+			expected:   "default-src 'self'; img-src 'self' https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
 		},
 		{
 			s3Endpoint: "some-bucket-provider.com",