pitchum/debianize-mobilizon
pitchum/debianize-mobilizon
1
0
Fork 0
Code Issues Pull Requests Projects Releases 2 Wiki Activity

Add some CSP headers

Browse Source 
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2021-01-22 18:15:21 +01:00
parent f0141c97e8
commit b7915a6467
No known key found for this signature in database
GPG Key ID: A061B9DDE0CA0773
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lib/web/router.ex
View File

@ -4,6 +4,12 @@ defmodule Mobilizon.Web.Router do
""" """
use Mobilizon.Web, :router use Mobilizon.Web, :router
@csp if Application.fetch_env!(:mobilizon, :env) != :dev,
do: "default-src 'self';",
else:
"default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
@headers %{"content-security-policy" => @csp}
pipeline :graphql do pipeline :graphql do
# plug(:accepts, ["json"]) # plug(:accepts, ["json"])
plug(Mobilizon.Web.Auth.Pipeline) plug(Mobilizon.Web.Auth.Pipeline)
@ -30,6 +36,7 @@ defmodule Mobilizon.Web.Router do
pipeline :activity_pub_and_html do pipeline :activity_pub_and_html do
plug(:accepts, ["html", "activity-json"]) plug(:accepts, ["html", "activity-json"])
plug(:put_secure_browser_headers, @headers)
plug(Cldr.Plug.AcceptLanguage, plug(Cldr.Plug.AcceptLanguage,
cldr_backend: Mobilizon.Cldr cldr_backend: Mobilizon.Cldr
@ -37,6 +44,7 @@ defmodule Mobilizon.Web.Router do
end end
pipeline :atom_and_ical do pipeline :atom_and_ical do
plug(:put_secure_browser_headers, @headers)
plug(:accepts, ["atom", "ics", "html"]) plug(:accepts, ["atom", "ics", "html"])
end end
@ -48,10 +56,7 @@ defmodule Mobilizon.Web.Router do
) )
plug(:accepts, ["html"]) plug(:accepts, ["html"])
plug(:fetch_session) plug(:put_secure_browser_headers, @headers)
plug(:fetch_flash)
plug(:protect_from_forgery)
plug(:put_secure_browser_headers)
end end
pipeline :remote_media do pipeline :remote_media do
@ -158,6 +163,8 @@ defmodule Mobilizon.Web.Router do
get("/interact", PageController, :interact) get("/interact", PageController, :interact)
get("/auth/:provider", AuthController, :request) get("/auth/:provider", AuthController, :request)
# sobelow_skip ["Config.CSRFRoute"]
# Possibly related to https://github.com/ueberauth/ueberauth/issues/125
get("/auth/:provider/callback", AuthController, :callback) get("/auth/:provider/callback", AuthController, :callback)
post("/auth/:provider/callback", AuthController, :callback) post("/auth/:provider/callback", AuthController, :callback)
end end