Merge branch 'service-worker-allowed-header' into 'develop'

Ability to set custom HTTP headers per each frontend See merge request pleroma/pleroma!3247
2021-01-26 18:14:01 +00:00 · 2021-01-26 18:14:01 +00:00 · d7af0294e6
parent e1eac4faac 7fcaa188a0
commit d7af0294e6
5 changed files with 51 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -38,7 +38,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
 - Ability to set ActivityPub aliases for follower migration.
 - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
-
+- Ability to define custom HTTP headers per each frontend

 <details>
  <summary>API Changes</summary>
--- a/config/config.exs
+++ b/config/config.exs
@ -725,7 +725,10 @@
      "git" => "https://git.pleroma.social/pleroma/fedi-fe",
      "build_url" =>
        "https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build",
-      "ref" => "master"
+      "ref" => "master",
+      "custom-http-headers" => [
+        {"service-worker-allowed", "/"}
+      ]
    },
    "admin-fe" => %{
      "name" => "admin-fe",
--- a/config/description.exs
+++ b/config/description.exs
@ -60,6 +60,12 @@
    label: "Build directory",
    type: :string,
    description: "The directory inside the zip file "
+  },
+  %{
+    key: "custom-http-headers",
+    label: "Custom HTTP headers",
+    type: {:list, :string},
+    description: "The custom HTTP headers for the frontend"
  }
 ]

--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@ -20,9 +20,26 @@ def call(conn, _options) do
    end
  end

-  defp headers do
+  def primary_frontend do
+    with %{"name" => frontend} <- Config.get([:frontends, :primary]),
+         available <- Config.get([:frontends, :available]),
+         %{} = primary_frontend <- Map.get(available, frontend) do
+      {:ok, primary_frontend}
+    end
+  end
+
+  def custom_http_frontend_headers do
+    with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do
+      custom_headers
+    else
+      _ -> []
+    end
+  end
+
+  def headers do
    referrer_policy = Config.get([:http_security, :referrer_policy])
    report_uri = Config.get([:http_security, :report_uri])
+    custom_http_frontend_headers = custom_http_frontend_headers()

    headers = [
      {"x-xss-protection", "1; mode=block"},
@ -34,6 +51,13 @@ defp headers do
      {"content-security-policy", csp_string()}
    ]

+    headers =
+      if custom_http_frontend_headers do
+        custom_http_frontend_headers ++ headers
+      else
+        headers
+      end
+
    if report_uri do
      report_group = %{
        "group" => "csp-endpoint",
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@ -72,6 +72,21 @@ test "default values for img-src and media-src with disabled media proxy", %{con
      assert csp =~ "media-src 'self' https:;"
      assert csp =~ "img-src 'self' data: blob: https:;"
    end
+
+    test "it sets the Service-Worker-Allowed header", %{conn: conn} do
+      clear_config([:http_security, :enabled], true)
+      clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
+
+      clear_config([:frontends, :available], %{
+        "fedi-fe" => %{
+          "name" => "fedi-fe",
+          "custom-http-headers" => [{"service-worker-allowed", "/"}]
+        }
+      })
+
+      conn = get(conn, "/api/v1/instance")
+      assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
+    end
  end

  describe "img-src and media-src" do