Merge branch 'service-worker-allowed-header' into 'develop'

Ability to set custom HTTP headers per each frontend

See merge request pleroma/pleroma!3247
This commit is contained in:
feld 2021-01-26 18:14:01 +00:00
commit d7af0294e6
5 changed files with 51 additions and 3 deletions

View file

@ -38,7 +38,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc. - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
- Ability to set ActivityPub aliases for follower migration. - Ability to set ActivityPub aliases for follower migration.
- Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
- Ability to define custom HTTP headers per each frontend
<details> <details>
<summary>API Changes</summary> <summary>API Changes</summary>

View file

@ -725,7 +725,10 @@ config :pleroma, :frontends,
"git" => "https://git.pleroma.social/pleroma/fedi-fe", "git" => "https://git.pleroma.social/pleroma/fedi-fe",
"build_url" => "build_url" =>
"https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build", "https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build",
"ref" => "master" "ref" => "master",
"custom-http-headers" => [
{"service-worker-allowed", "/"}
]
}, },
"admin-fe" => %{ "admin-fe" => %{
"name" => "admin-fe", "name" => "admin-fe",

View file

@ -60,6 +60,12 @@ frontend_options = [
label: "Build directory", label: "Build directory",
type: :string, type: :string,
description: "The directory inside the zip file " description: "The directory inside the zip file "
},
%{
key: "custom-http-headers",
label: "Custom HTTP headers",
type: {:list, :string},
description: "The custom HTTP headers for the frontend"
} }
] ]

View file

@ -20,9 +20,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
end end
end end
defp headers do def primary_frontend do
with %{"name" => frontend} <- Config.get([:frontends, :primary]),
available <- Config.get([:frontends, :available]),
%{} = primary_frontend <- Map.get(available, frontend) do
{:ok, primary_frontend}
end
end
def custom_http_frontend_headers do
with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do
custom_headers
else
_ -> []
end
end
def headers do
referrer_policy = Config.get([:http_security, :referrer_policy]) referrer_policy = Config.get([:http_security, :referrer_policy])
report_uri = Config.get([:http_security, :report_uri]) report_uri = Config.get([:http_security, :report_uri])
custom_http_frontend_headers = custom_http_frontend_headers()
headers = [ headers = [
{"x-xss-protection", "1; mode=block"}, {"x-xss-protection", "1; mode=block"},
@ -34,6 +51,13 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
{"content-security-policy", csp_string()} {"content-security-policy", csp_string()}
] ]
headers =
if custom_http_frontend_headers do
custom_http_frontend_headers ++ headers
else
headers
end
if report_uri do if report_uri do
report_group = %{ report_group = %{
"group" => "csp-endpoint", "group" => "csp-endpoint",

View file

@ -72,6 +72,21 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
assert csp =~ "media-src 'self' https:;" assert csp =~ "media-src 'self' https:;"
assert csp =~ "img-src 'self' data: blob: https:;" assert csp =~ "img-src 'self' data: blob: https:;"
end end
test "it sets the Service-Worker-Allowed header", %{conn: conn} do
clear_config([:http_security, :enabled], true)
clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
clear_config([:frontends, :available], %{
"fedi-fe" => %{
"name" => "fedi-fe",
"custom-http-headers" => [{"service-worker-allowed", "/"}]
}
})
conn = get(conn, "/api/v1/instance")
assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
end
end end
describe "img-src and media-src" do describe "img-src and media-src" do