Ability to set the Service-Worker-Allowed header

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1dfeae01c00199f45de696ae910d63b94627242..765546941b19c4e40b80185de64d049acc7bece3 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
 - Ability to set ActivityPub aliases for follower migration.
 - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
-
+- Ability to set the `Service-Worker-Allowed` header
 
 <details>
   <summary>API Changes</summary>

diff --git a/config/description.exs b/config/description.exs
index 715a0d0c36e731c6732acdc72607c19fcb44a80d..0580be09aad3205058ad71ef70fecb38370b8bf3 100644 (file)
--- a/config/description.exs
+++ b/config/description.exs
@@ -1749,6 +1749,14 @@ config :pleroma, :config_description, [
         type: :string,
         description: "Adds the specified URL to report-uri and report-to group in CSP header",
         suggestions: ["https://example.com/report-uri"]
+      },
+      %{
+        key: :service_worker_allowed,
+        label: "The Service-Worker-Allowed header",
+        type: :string,
+        description:
+          "Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
+        suggestions: ["/"]
       }
     ]
   },

diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index 4b84f575da8bcffe6deea4e6a9df0b62c6a77fdb..6c959a870f4a6546a03a20265f1c00d9fb006648 100644 (file)
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -23,6 +23,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
   defp headers do
     referrer_policy = Config.get([:http_security, :referrer_policy])
     report_uri = Config.get([:http_security, :report_uri])
+    service_worker_allowed = Config.get([:http_security, :service_worker_allowed])
 
     headers = [
       {"x-xss-protection", "1; mode=block"},
@@ -34,6 +35,13 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
       {"content-security-policy", csp_string()}
     ]
 
+    headers =
+      if service_worker_allowed do
+        [{"service-worker-allowed", service_worker_allowed} | headers]
+      else
+        headers
+      end
+
     if report_uri do
       report_group = %{
         "group" => "csp-endpoint",

diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs
index 4233e85c0e073555d24bc7e031c5e5f31d99bb2b..26c9fd317873776398dd6cb9ba6662c9c0847189 100644 (file)
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@@ -72,6 +72,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
       assert csp =~ "media-src 'self' https:;"
       assert csp =~ "img-src 'self' data: blob: https:;"
     end
+
+    test "it sets the Service-Worker-Allowed header", %{conn: conn} do
+      clear_config([:http_security, :enabled], true)
+      clear_config([:http_security, :service_worker_allowed], "/")
+
+      conn = get(conn, "/api/v1/instance")
+      assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
+    end
   end
 
   describe "img-src and media-src" do