pleroma

commit: 133644dfa2e46dc48980ae6f835b7aa2758b4250
parent d8860eaee46c9bc0a079e90dfb008c54923d7330
Author: eugenijm <eugenijm@protonmail.com>
Date:   Fri,  8 Jan 2021 12:06:04 +0300

Ability to set the Service-Worker-Allowed header

Diffstat:
M
CHANGELOG.md
2
+-
M
config/description.exs
8
++++++++
M
lib/pleroma/web/plugs/http_security_plug.ex
8
++++++++
M
test/pleroma/web/plugs/http_security_plug_test.exs
8
++++++++

4 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
 - Ability to set ActivityPub aliases for follower migration.
 - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
-
+- Ability to set the `Service-Worker-Allowed` header
 
 <details>
   <summary>API Changes</summary>
diff --git a/config/description.exs b/config/description.exs
@@ -1749,6 +1749,14 @@ config :pleroma, :config_description, [
         type: :string,
         description: "Adds the specified URL to report-uri and report-to group in CSP header",
         suggestions: ["https://example.com/report-uri"]
+      },
+      %{
+        key: :service_worker_allowed,
+        label: "The Service-Worker-Allowed header",
+        type: :string,
+        description:
+          "Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
+        suggestions: ["/"]
       }
     ]
   },
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -23,6 +23,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
   defp headers do
     referrer_policy = Config.get([:http_security, :referrer_policy])
     report_uri = Config.get([:http_security, :report_uri])
+    service_worker_allowed = Config.get([:http_security, :service_worker_allowed])
 
     headers = [
       {"x-xss-protection", "1; mode=block"},
@@ -34,6 +35,13 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
       {"content-security-policy", csp_string()}
     ]
 
+    headers =
+      if service_worker_allowed do
+        [{"service-worker-allowed", service_worker_allowed} | headers]
+      else
+        headers
+      end
+
     if report_uri do
       report_group = %{
         "group" => "csp-endpoint",
diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs
@@ -72,6 +72,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       assert csp =~ "media-src 'self' https:;"
       assert csp =~ "img-src 'self' data: blob: https:;"
     end
+
+    test "it sets the Service-Worker-Allowed header", %{conn: conn} do
+      clear_config([:http_security, :enabled], true)
+      clear_config([:http_security, :service_worker_allowed], "/")
+
+      conn = get(conn, "/api/v1/instance")
+      assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
+    end
   end
 
   describe "img-src and media-src" do