logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma git clone https://hacktivis.me/git/pleroma.git
commit: d7af0294e6a3a690524e0a08a35c9c6dafbb9f79
parent e1eac4faac723c5015d7d696600d24c44f5ab52c
Author: feld <feld@feld.me>
Date:   Tue, 26 Jan 2021 18:14:01 +0000

Merge branch 'service-worker-allowed-header' into 'develop'

Ability to set custom HTTP headers per each frontend

See merge request pleroma/pleroma!3247

Diffstat:

MCHANGELOG.md2+-
Mconfig/config.exs5++++-
Mconfig/description.exs6++++++
Mlib/pleroma/web/plugs/http_security_plug.ex26+++++++++++++++++++++++++-
Mtest/pleroma/web/plugs/http_security_plug_test.exs15+++++++++++++++
5 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md @@ -38,7 +38,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc. - Ability to set ActivityPub aliases for follower migration. - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy - +- Ability to define custom HTTP headers per each frontend <details> <summary>API Changes</summary> diff --git a/config/config.exs b/config/config.exs @@ -725,7 +725,10 @@ config :pleroma, :frontends, "git" => "https://git.pleroma.social/pleroma/fedi-fe", "build_url" => "https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build", - "ref" => "master" + "ref" => "master", + "custom-http-headers" => [ + {"service-worker-allowed", "/"} + ] }, "admin-fe" => %{ "name" => "admin-fe", diff --git a/config/description.exs b/config/description.exs @@ -60,6 +60,12 @@ frontend_options = [ label: "Build directory", type: :string, description: "The directory inside the zip file " + }, + %{ + key: "custom-http-headers", + label: "Custom HTTP headers", + type: {:list, :string}, + description: "The custom HTTP headers for the frontend" } ] diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex @@ -20,9 +20,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do end end - defp headers do + def primary_frontend do + with %{"name" => frontend} <- Config.get([:frontends, :primary]), + available <- Config.get([:frontends, :available]), + %{} = primary_frontend <- Map.get(available, frontend) do + {:ok, primary_frontend} + end + end + + def custom_http_frontend_headers do + with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do + custom_headers + else + _ -> [] + end + end + + def headers do referrer_policy = Config.get([:http_security, :referrer_policy]) report_uri = Config.get([:http_security, :report_uri]) + custom_http_frontend_headers = custom_http_frontend_headers() headers = [ {"x-xss-protection", "1; mode=block"}, @@ -34,6 +51,13 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do {"content-security-policy", csp_string()} ] + headers = + if custom_http_frontend_headers do + custom_http_frontend_headers ++ headers + else + headers + end + if report_uri do report_group = %{ "group" => "csp-endpoint", diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs @@ -72,6 +72,21 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do assert csp =~ "media-src 'self' https:;" assert csp =~ "img-src 'self' data: blob: https:;" end + + test "it sets the Service-Worker-Allowed header", %{conn: conn} do + clear_config([:http_security, :enabled], true) + clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"}) + + clear_config([:frontends, :available], %{ + "fedi-fe" => %{ + "name" => "fedi-fe", + "custom-http-headers" => [{"service-worker-allowed", "/"}] + } + }) + + conn = get(conn, "/api/v1/instance") + assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"] + end end describe "img-src and media-src" do