From 133644dfa2e46dc48980ae6f835b7aa2758b4250 Mon Sep 17 00:00:00 2001 From: eugenijm Date: Fri, 8 Jan 2021 12:06:04 +0300 Subject: [PATCH 1/2] Ability to set the Service-Worker-Allowed header --- CHANGELOG.md | 2 +- config/description.exs | 8 ++++++++ lib/pleroma/web/plugs/http_security_plug.ex | 8 ++++++++ test/pleroma/web/plugs/http_security_plug_test.exs | 8 ++++++++ 4 files changed, 25 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1dfeae01..765546941 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc. - Ability to set ActivityPub aliases for follower migration. - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy - +- Ability to set the `Service-Worker-Allowed` header
API Changes diff --git a/config/description.exs b/config/description.exs index 715a0d0c3..0580be09a 100644 --- a/config/description.exs +++ b/config/description.exs @@ -1749,6 +1749,14 @@ type: :string, description: "Adds the specified URL to report-uri and report-to group in CSP header", suggestions: ["https://example.com/report-uri"] + }, + %{ + key: :service_worker_allowed, + label: "The Service-Worker-Allowed header", + type: :string, + description: + "Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope", + suggestions: ["/"] } ] }, diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 4b84f575d..6c959a870 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -23,6 +23,7 @@ def call(conn, _options) do defp headers do referrer_policy = Config.get([:http_security, :referrer_policy]) report_uri = Config.get([:http_security, :report_uri]) + service_worker_allowed = Config.get([:http_security, :service_worker_allowed]) headers = [ {"x-xss-protection", "1; mode=block"}, @@ -34,6 +35,13 @@ defp headers do {"content-security-policy", csp_string()} ] + headers = + if service_worker_allowed do + [{"service-worker-allowed", service_worker_allowed} | headers] + else + headers + end + if report_uri do report_group = %{ "group" => "csp-endpoint", diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs index 4233e85c0..26c9fd317 100644 --- a/test/pleroma/web/plugs/http_security_plug_test.exs +++ b/test/pleroma/web/plugs/http_security_plug_test.exs @@ -72,6 +72,14 @@ test "default values for img-src and media-src with disabled media proxy", %{con assert csp =~ "media-src 'self' https:;" assert csp =~ "img-src 'self' data: blob: https:;" end + + test "it sets the Service-Worker-Allowed header", %{conn: conn} do + clear_config([:http_security, :enabled], true) + clear_config([:http_security, :service_worker_allowed], "/") + + conn = get(conn, "/api/v1/instance") + assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"] + end end describe "img-src and media-src" do From 7fcaa188a0be4bc8e41790ddda9b6789cb318347 Mon Sep 17 00:00:00 2001 From: eugenijm Date: Thu, 21 Jan 2021 14:58:18 +0300 Subject: [PATCH 2/2] Allow to define custom HTTP headers per each frontend --- CHANGELOG.md | 2 +- config/config.exs | 5 +++- config/description.exs | 14 +++++------ lib/pleroma/web/plugs/http_security_plug.ex | 24 +++++++++++++++---- .../web/plugs/http_security_plug_test.exs | 9 ++++++- 5 files changed, 39 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 765546941..d8fcab9af 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc. - Ability to set ActivityPub aliases for follower migration. - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy -- Ability to set the `Service-Worker-Allowed` header +- Ability to define custom HTTP headers per each frontend
API Changes diff --git a/config/config.exs b/config/config.exs index c4a690799..fbaf9a7b5 100644 --- a/config/config.exs +++ b/config/config.exs @@ -723,7 +723,10 @@ "git" => "https://git.pleroma.social/pleroma/fedi-fe", "build_url" => "https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build", - "ref" => "master" + "ref" => "master", + "custom-http-headers" => [ + {"service-worker-allowed", "/"} + ] }, "admin-fe" => %{ "name" => "admin-fe", diff --git a/config/description.exs b/config/description.exs index 0580be09a..2de2e1947 100644 --- a/config/description.exs +++ b/config/description.exs @@ -60,6 +60,12 @@ label: "Build directory", type: :string, description: "The directory inside the zip file " + }, + %{ + key: "custom-http-headers", + label: "Custom HTTP headers", + type: {:list, :string}, + description: "The custom HTTP headers for the frontend" } ] @@ -1749,14 +1755,6 @@ type: :string, description: "Adds the specified URL to report-uri and report-to group in CSP header", suggestions: ["https://example.com/report-uri"] - }, - %{ - key: :service_worker_allowed, - label: "The Service-Worker-Allowed header", - type: :string, - description: - "Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope", - suggestions: ["/"] } ] }, diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 6c959a870..0025b042a 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -20,10 +20,26 @@ def call(conn, _options) do end end - defp headers do + def primary_frontend do + with %{"name" => frontend} <- Config.get([:frontends, :primary]), + available <- Config.get([:frontends, :available]), + %{} = primary_frontend <- Map.get(available, frontend) do + {:ok, primary_frontend} + end + end + + def custom_http_frontend_headers do + with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do + custom_headers + else + _ -> [] + end + end + + def headers do referrer_policy = Config.get([:http_security, :referrer_policy]) report_uri = Config.get([:http_security, :report_uri]) - service_worker_allowed = Config.get([:http_security, :service_worker_allowed]) + custom_http_frontend_headers = custom_http_frontend_headers() headers = [ {"x-xss-protection", "1; mode=block"}, @@ -36,8 +52,8 @@ defp headers do ] headers = - if service_worker_allowed do - [{"service-worker-allowed", service_worker_allowed} | headers] + if custom_http_frontend_headers do + custom_http_frontend_headers ++ headers else headers end diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs index 26c9fd317..4e7befdd5 100644 --- a/test/pleroma/web/plugs/http_security_plug_test.exs +++ b/test/pleroma/web/plugs/http_security_plug_test.exs @@ -75,7 +75,14 @@ test "default values for img-src and media-src with disabled media proxy", %{con test "it sets the Service-Worker-Allowed header", %{conn: conn} do clear_config([:http_security, :enabled], true) - clear_config([:http_security, :service_worker_allowed], "/") + clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"}) + + clear_config([:frontends, :available], %{ + "fedi-fe" => %{ + "name" => "fedi-fe", + "custom-http-headers" => [{"service-worker-allowed", "/"}] + } + }) conn = get(conn, "/api/v1/instance") assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]