projects
/
akkoma
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Add prometheus metrics to router
[akkoma]
/
lib
/
pleroma
/
web
/
plugs
/
http_security_plug.ex
diff --git
a/lib/pleroma/web/plugs/http_security_plug.ex
b/lib/pleroma/web/plugs/http_security_plug.ex
index 5f36b77d166f217068db5d654ffd175d5dc53e94..6593347caf2a6d8281e701fccaea64bcbca7c0f8 100644
(file)
--- a/
lib/pleroma/web/plugs/http_security_plug.ex
+++ b/
lib/pleroma/web/plugs/http_security_plug.ex
@@
-13,7
+13,7
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
def call(conn, _options) do
if Config.get([:http_security, :enabled]) do
conn
def call(conn, _options) do
if Config.get([:http_security, :enabled]) do
conn
- |> merge_resp_headers(headers())
+ |> merge_resp_headers(headers(
conn
))
|> maybe_send_sts_header(Config.get([:http_security, :sts]))
else
conn
|> maybe_send_sts_header(Config.get([:http_security, :sts]))
else
conn
@@
-36,7
+36,8
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
end
end
end
end
- def headers do
+ @spec headers(Plug.Conn.t()) :: [{String.t(), String.t()}]
+ def headers(conn) do
referrer_policy = Config.get([:http_security, :referrer_policy])
report_uri = Config.get([:http_security, :report_uri])
custom_http_frontend_headers = custom_http_frontend_headers()
referrer_policy = Config.get([:http_security, :referrer_policy])
report_uri = Config.get([:http_security, :report_uri])
custom_http_frontend_headers = custom_http_frontend_headers()
@@
-47,8
+48,7
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
{"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"},
{"referrer-policy", referrer_policy},
{"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"},
{"referrer-policy", referrer_policy},
- {"x-download-options", "noopen"},
- {"content-security-policy", csp_string()},
+ {"content-security-policy", csp_string(conn)},
{"permissions-policy", "interest-cohort=()"}
]
{"permissions-policy", "interest-cohort=()"}
]
@@
-76,21
+76,20
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
static_csp_rules = [
"default-src 'none'",
static_csp_rules = [
"default-src 'none'",
- "base-uri '
self
'",
+ "base-uri '
none
'",
"frame-ancestors 'none'",
"frame-ancestors 'none'",
- "style-src 'self' 'unsafe-inline'",
- "font-src 'self'",
"manifest-src 'self'"
]
@csp_start [Enum.join(static_csp_rules, ";") <> ";"]
"manifest-src 'self'"
]
@csp_start [Enum.join(static_csp_rules, ";") <> ";"]
- defp csp_string do
+ defp csp_string
(conn)
do
scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
static_url = Pleroma.Web.Endpoint.static_url()
websocket_url = Pleroma.Web.Endpoint.websocket_url()
report_uri = Config.get([:http_security, :report_uri])
scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
static_url = Pleroma.Web.Endpoint.static_url()
websocket_url = Pleroma.Web.Endpoint.websocket_url()
report_uri = Config.get([:http_security, :report_uri])
-
+ %{assigns: %{csp_nonce: nonce}} = conn
+ nonce_tag = "nonce-" <> nonce
img_src = "img-src 'self' data: blob:"
media_src = "media-src 'self'"
img_src = "img-src 'self' data: blob:"
media_src = "media-src 'self'"
@@
-112,11
+111,14
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
end
["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
end
+ style_src = "style-src 'self' '#{nonce_tag}'"
+ font_src = "font-src 'self' '#{nonce_tag}' data:"
+
script_src =
if Config.get(:env) == :dev do
script_src =
if Config.get(:env) == :dev do
- "script-src 'self' 'unsafe-eval'"
+ "script-src 'self' 'unsafe-eval'
'#{nonce_tag}'
"
else
else
- "script-src 'self'"
+ "script-src 'self'
'#{nonce_tag}'
"
end
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
end
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
@@
-127,6
+129,8
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
|> add_csp_param(media_src)
|> add_csp_param(connect_src)
|> add_csp_param(script_src)
|> add_csp_param(media_src)
|> add_csp_param(connect_src)
|> add_csp_param(script_src)
+ |> add_csp_param(font_src)
+ |> add_csp_param(style_src)
|> add_csp_param(insecure)
|> add_csp_param(report)
|> :erlang.iolist_to_binary()
|> add_csp_param(insecure)
|> add_csp_param(report)
|> :erlang.iolist_to_binary()
@@
-237,11
+241,9
@@
your instance and your users via malicious posts:
defp maybe_send_sts_header(conn, true) do
max_age_sts = Config.get([:http_security, :sts_max_age])
defp maybe_send_sts_header(conn, true) do
max_age_sts = Config.get([:http_security, :sts_max_age])
- max_age_ct = Config.get([:http_security, :ct_max_age])
merge_resp_headers(conn, [
merge_resp_headers(conn, [
- {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
- {"expect-ct", "enforce, max-age=#{max_age_ct}"}
+ {"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains; preload"}
])
end
])
end