diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2023-08-20 13:35:55 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2023-08-20 13:35:55 +0200 |
| commit | 1e2db7a32f72ee01497a08c67e6f7f507890ee71 (patch) | |
| tree | 76a6e64c3897ff183383bdb20b185f42cc462a16 /internal/middleware/extraheaders.go | |
| parent | [feature] Instance rules (#2125) (diff) | |
| download | gotosocial-1e2db7a32f72ee01497a08c67e6f7f507890ee71.tar.xz | |
[feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs (#2134)
* [feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs
* env parsing tests, my coy mistress
Diffstat (limited to 'internal/middleware/extraheaders.go')
| -rw-r--r-- | internal/middleware/extraheaders.go | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go index 064e85cca..1a3f1d522 100644 --- a/internal/middleware/extraheaders.go +++ b/internal/middleware/extraheaders.go @@ -18,15 +18,11 @@ package middleware import ( - "codeberg.org/gruf/go-debug" "github.com/gin-gonic/gin" - "github.com/superseriousbusiness/gotosocial/internal/config" ) // ExtraHeaders returns a new gin middleware which adds various extra headers to the response. func ExtraHeaders() gin.HandlerFunc { - csp := BuildContentSecurityPolicy() - return func(c *gin.Context) { // Inform all callers which server implementation this is. c.Header("Server", "gotosocial") @@ -39,56 +35,5 @@ func ExtraHeaders() gin.HandlerFunc { // // See: https://github.com/patcg-individual-drafts/topics c.Header("Permissions-Policy", "browsing-topics=()") - - // Inform the browser we only load - // CSS/JS/media using the given policy. - c.Header("Content-Security-Policy", csp) - } -} - -func BuildContentSecurityPolicy() string { - // Start with restrictive policy. - policy := "default-src 'self'" - - if debug.DEBUG { - // Debug is enabled, allow - // serving things from localhost - // as well (regardless of port). - policy += " localhost:* ws://localhost:*" - } - - // Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src - policy += "; object-src 'none'" - - s3Endpoint := config.GetStorageS3Endpoint() - if s3Endpoint == "" || config.GetStorageS3Proxy() { - // S3 not configured or in proxy mode, just allow images from self and blob: - policy += "; img-src 'self' blob:" - return policy } - - // S3 is on and in non-proxy mode, so we need to add the S3 host to - // the policy to allow images and video to be pulled from there too. - - // If secure is false, - // use 'http' scheme. - scheme := "https" - if !config.GetStorageS3UseSSL() { - scheme = "http" - } - - // Construct endpoint URL. - s3EndpointURLStr := scheme + "://" + s3Endpoint - - // When object storage is in use in non-proxied mode, GtS still serves some - // assets itself like the logo, so keep 'self' in there. That should also - // handle any redirects from the fileserver to object storage. - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src - policy += "; img-src 'self' blob: " + s3EndpointURLStr - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src - policy += "; media-src 'self' " + s3EndpointURLStr - - return policy } |