diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2023-08-11 17:49:17 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2023-08-11 17:49:17 +0200 |
| commit | b7274545e0e1836fa7635da5adcc16a5063ba406 (patch) | |
| tree | 2eac46fb69f7506709563f7cbc6366c6c91935c4 /internal/middleware/extraheaders.go | |
| parent | [bugfix] Suppress 'errNoEntries' warnings from InboxForwarding function call ... (diff) | |
| download | gotosocial-b7274545e0e1836fa7635da5adcc16a5063ba406.tar.xz | |
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103)v0.11.0-rc2
* [bugfix] Add s3 endpoint as image-src and media-src for CSP
* use https if secure
* reorder comment
Diffstat (limited to 'internal/middleware/extraheaders.go')
| -rw-r--r-- | internal/middleware/extraheaders.go | 60 |
1 files changed, 54 insertions, 6 deletions
diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go index f584633fe..cd207a9f1 100644 --- a/internal/middleware/extraheaders.go +++ b/internal/middleware/extraheaders.go @@ -20,17 +20,17 @@ package middleware import ( "codeberg.org/gruf/go-debug" "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/config" ) // ExtraHeaders returns a new gin middleware which adds various extra headers to the response. func ExtraHeaders() gin.HandlerFunc { - policy := "default-src 'self'" - if debug.DEBUG { - policy += " localhost:*" - } + csp := BuildContentSecurityPolicy() + return func(c *gin.Context) { // Inform all callers which server implementation this is. c.Header("Server", "gotosocial") + // Prevent google chrome cohort tracking. Originally this was referred // to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says // that interest-cohort will also block Topics (as of 2022-Nov). @@ -39,7 +39,55 @@ func ExtraHeaders() gin.HandlerFunc { // // See: https://github.com/patcg-individual-drafts/topics c.Header("Permissions-Policy", "browsing-topics=()") - // Inform the browser we only load CSS/JS/media from the same domain - c.Header("Content-Security-Policy", policy) + + // Inform the browser we only load + // CSS/JS/media using the given policy. + c.Header("Content-Security-Policy", csp) } } + +func BuildContentSecurityPolicy() string { + // Start with restrictive policy. + policy := "default-src 'self'" + + if debug.DEBUG { + // Debug is enabled, allow + // serving things from localhost + // as well (regardless of port). + policy += " localhost:*" + } + + s3Endpoint := config.GetStorageS3Endpoint() + if s3Endpoint == "" { + // S3 not configured, + // default policy is OK. + return policy + } + + if config.GetStorageS3Proxy() { + // S3 is configured in proxy + // mode, default policy is OK. + return policy + } + + // S3 is on and in non-proxy mode, so we need to add the S3 host to + // the policy to allow images and video to be pulled from there too. + + // If secure is false, + // use 'http' scheme. + scheme := "https" + if !config.GetStorageS3UseSSL() { + scheme = "http" + } + + // Construct endpoint URL. + s3EndpointURLStr := scheme + "://" + s3Endpoint + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src + policy += "; image-src " + s3EndpointURLStr + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src + policy += "; media-src " + s3EndpointURLStr + + return policy +} |