diff options
| author | kaniini <nenolod@gmail.com> | 2019-05-16 20:11:12 +0000 |
|---|---|---|
| committer | kaniini <nenolod@gmail.com> | 2019-05-16 20:11:12 +0000 |
| commit | bf84d50c76cb8d9a6a9ea77a7620c9545b10a7ed (patch) | |
| tree | d2f318ac678c2dbb65bf49f622d0979778c71648 /lib | |
| parent | a328251a525bf09a26d3d52c34f48f1e97d34f1b (diff) | |
| parent | 4711d8151c8cb7ce2024f378e17b3a113a3aac1c (diff) | |
| download | pleroma-bf84d50c76cb8d9a6a9ea77a7620c9545b10a7ed.tar.gz | |
Merge branch 'feature/890-add-report-uri' into 'develop'
Feature/890 add report uri
Closes #890
See merge request pleroma/pleroma!1164
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/pleroma/plugs/http_security_plug.ex | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index a476f1d49..485ddfbc7 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -20,8 +20,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do defp headers do referrer_policy = Config.get([:http_security, :referrer_policy]) + report_uri = Config.get([:http_security, :report_uri]) - [ + headers = [ {"x-xss-protection", "1; mode=block"}, {"x-permitted-cross-domain-policies", "none"}, {"x-frame-options", "DENY"}, @@ -30,12 +31,27 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do {"x-download-options", "noopen"}, {"content-security-policy", csp_string() <> ";"} ] + + if report_uri do + report_group = %{ + "group" => "csp-endpoint", + "max-age" => 10_886_400, + "endpoints" => [ + %{"url" => report_uri} + ] + } + + headers ++ [{"reply-to", Jason.encode!(report_group)}] + else + headers + end end defp csp_string do scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme] static_url = Pleroma.Web.Endpoint.static_url() websocket_url = Pleroma.Web.Endpoint.websocket_url() + report_uri = Config.get([:http_security, :report_uri]) connect_src = "connect-src 'self' #{static_url} #{websocket_url}" @@ -53,7 +69,7 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do "script-src 'self'" end - [ + main_part = [ "default-src 'none'", "base-uri 'self'", "frame-ancestors 'none'", @@ -63,11 +79,14 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do "font-src 'self'", "manifest-src 'self'", connect_src, - script_src, - if scheme == "https" do - "upgrade-insecure-requests" - end + script_src ] + + report = if report_uri, do: ["report-uri #{report_uri}; report-to csp-endpoint"], else: [] + + insecure = if scheme == "https", do: ["upgrade-insecure-requests"], else: [] + + (main_part ++ report ++ insecure) |> Enum.join("; ") end |