Copyright 2019-2020 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.

package middleware

import (
	
	
	
)
From content/static/base/base.tmpl
	"'sha256-CoGrkqEM1Kjjf5b1bpcnDLl8ZZLAsVX+BoAzZ5+AOmc='",
	"'sha256-3YbNePu1zD/B/1vcR3xg4CvNdno3XxbHPOPB+s4Sc0U='",
From content/static/html/base.tmpl
	"'sha256-CgM7SjnSbDyuIteS+D1CQuSnzyKwL0qtXLU6ZW2hB+g='",
	"'sha256-dwce5DnVX7uk6fdvvNxQyLTH/cJrTMDK6zzrdKwdwcg='",
From content/static/html/pages/badge.tmpl
From content/static/html/pages/fetch.tmpl
From content/static/html/worker/index.tmpl
From content/static/html/pages/unit.tmpl
From content/static/html/pages/unit_details.tmpl
	"'sha256-nF5UdhqQFxB95DCaw1XdSQCEkIjoMhorTCQ+nQ4+Lq4='",
	"'sha256-L+G1K2BEWa+o2vPy1pwdabLjINBByPWi1NkRwvASUq8='",
From content/static/html/pages/unit_versions.tmpl
From content/static/styleguide/styleguide.tmpl
	"'sha256-Z9STHpM3Fz5XojcH5dbUK50Igi6qInBbVVaqNpjL/HY='",
}
SecureHeaders adds a content-security-policy and other security-related headers to all responses.
func ( bool) Middleware {
	return func( http.Handler) http.Handler {
		return http.HandlerFunc(func( http.ResponseWriter,  *http.Request) {
Disallow plugin content: pkg.go.dev does not use it.
Disallow <base> URIs, which prevents attackers from changing the locations of scripts loaded from relative URLs. The site doesn’t have a <base> tag anyway.
				"base-uri 'none'",
				fmt.Sprintf("script-src 'unsafe-inline' 'strict-dynamic' https: http: %s",
					strings.Join(scriptHashes, " ")),
			}
			if  {
				.Header().Set("Content-Security-Policy", strings.Join(, "; "))
Don't allow frame embedding.
Prevent MIME sniffing.
			.Header().Set("X-Content-Type-Options", "nosniff")

			.ServeHTTP(, )
		})
	}