_content/tour: fix links, fix CSP policy for tour

Some links were missing the /tour/ at the front.

The tour also has links like <a href="javascript:next()">, which require
us to set unsafe-inline (or else enumerate the SHA256 of every link)
in the CSP header.

Also make the local server a bit more tour-friendly.

Fixes golang/go#49880.

Change-Id: Ice746571db1a34e1c02b4b2a16c4e9f30dc164d1
Reviewed-on: https://go-review.googlesource.com/c/website/+/368034
Trust: Russ Cox <rsc@golang.org>
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jamal Carvalho <jamal@golang.org>
Website-Publish: Russ Cox <rsc@golang.org>

2 files changed, 25 insertions, 8 deletions

diff --git a/cmd/golangorg/csp.go b/cmd/golangorg/csp.go
index affed288..e8c0ec1c 100644
--- a/cmd/golangorg/csp.go
+++ b/cmd/golangorg/csp.go
@@ -22,12 +22,19 @@ func buildCSP(kind string) string {
 	for _, k := range ks {
 		sb.WriteString(k)
 		sb.WriteString(" ")
-		sb.WriteString(strings.Join(csp[k], " "))
+		for _, v := range csp[k] {
+			if (kind == "tour" || kind == "talks") && strings.HasPrefix(v, "'sha256-") {
+				// Must drop sha256 entries to use unsafe-inline.
+				continue
+			}
+			sb.WriteString(v)
+			sb.WriteString(" ")
+		}
 		if kind == "tour" && k == "script-src" {
 			sb.WriteString(" ")
 			sb.WriteString(unsafeEval)
 		}
-		if kind == "talks" && k == "script-src" {
+		if (kind == "talks" || kind == "tour") && k == "script-src" {
 			sb.WriteString(" ")
 			sb.WriteString(unsafeInline)
 		}
diff --git a/cmd/golangorg/server.go b/cmd/golangorg/server.go
index eda65ef1..1d0f3e4a 100644
--- a/cmd/golangorg/server.go
+++ b/cmd/golangorg/server.go
@@ -443,7 +443,13 @@ func hostPathHandler(h http.Handler) http.Handler {
 
 		elem, rest := strings.TrimPrefix(r.URL.Path, "/"), ""
 		if i := strings.Index(elem, "/"); i >= 0 {
-			elem, rest = elem[:i], elem[i+1:]
+			if elem[:i] == "tour" {
+				// The Angular router serving /tour/ fails badly when it sees /go.dev/tour/.
+				// Just take http://localhost/tour/ as meaning /go.dev/tour/ instead of redirecting.
+				elem, rest = "go.dev", elem
+			} else {
+				elem, rest = elem[:i], elem[i+1:]
+			}
 		}
 		if !validHosts[elem] {
 			u := "/go.dev" + r.URL.EscapedPath()
@@ -461,7 +467,7 @@ func hostPathHandler(h http.Handler) http.Handler {
 
 		log.Print(r.URL.String())
 
-		lw := &linkRewriter{ResponseWriter: w, host: r.Host}
+		lw := &linkRewriter{ResponseWriter: w, host: r.Host, tour: strings.HasPrefix(r.URL.Path, "/tour/")}
 		h.ServeHTTP(lw, r)
 		lw.Flush()
 	})
@@ -474,6 +480,7 @@ func hostPathHandler(h http.Handler) http.Handler {
 type linkRewriter struct {
 	http.ResponseWriter
 	host string
+	tour bool // is this go.dev/tour/?
 	buf  []byte
 	ct   string // content-type
 }
@@ -481,7 +488,7 @@ type linkRewriter struct {
 func (r *linkRewriter) WriteHeader(code int) {
 	loc := r.Header().Get("Location")
 	delete(r.Header(), "Content-Length") // we might change the content
-	if strings.HasPrefix(loc, "/") {
+	if strings.HasPrefix(loc, "/") && !strings.HasPrefix(loc, "/tour/") {
 		r.Header().Set("Location", "/"+r.host+loc)
 	} else if u, _ := url.Parse(loc); u != nil && validHosts[u.Host] {
 		r.Header().Set("Location", "/"+u.Host+"/"+strings.TrimPrefix(u.Path, "/")+u.RawQuery)
@@ -506,9 +513,12 @@ func (r *linkRewriter) Write(data []byte) (int, error) {
 }
 
 func (r *linkRewriter) Flush() {
-	repl := []string{
-		`href="/`, `href="/` + r.host + `/`,
-		`src="/`, `src="/` + r.host + `/`,
+	var repl []string
+	if !r.tour {
+		repl = []string{
+			`href="/`, `href="/` + r.host + `/`,
+			`src="/`, `src="/` + r.host + `/`,
+		}
 	}
 	for host := range validHosts {
 		repl = append(repl, `href="https://`+host, `href="/`+host)