diff options
Diffstat (limited to 'internal/middleware/extraheaders.go')
| -rw-r--r-- | internal/middleware/extraheaders.go | 55 |
1 files changed, 0 insertions, 55 deletions
diff --git a/internal/middleware/extraheaders.go b/internal/middleware/extraheaders.go index 064e85cca..1a3f1d522 100644 --- a/internal/middleware/extraheaders.go +++ b/internal/middleware/extraheaders.go @@ -18,15 +18,11 @@ package middleware import ( - "codeberg.org/gruf/go-debug" "github.com/gin-gonic/gin" - "github.com/superseriousbusiness/gotosocial/internal/config" ) // ExtraHeaders returns a new gin middleware which adds various extra headers to the response. func ExtraHeaders() gin.HandlerFunc { - csp := BuildContentSecurityPolicy() - return func(c *gin.Context) { // Inform all callers which server implementation this is. c.Header("Server", "gotosocial") @@ -39,56 +35,5 @@ func ExtraHeaders() gin.HandlerFunc { // // See: https://github.com/patcg-individual-drafts/topics c.Header("Permissions-Policy", "browsing-topics=()") - - // Inform the browser we only load - // CSS/JS/media using the given policy. - c.Header("Content-Security-Policy", csp) - } -} - -func BuildContentSecurityPolicy() string { - // Start with restrictive policy. - policy := "default-src 'self'" - - if debug.DEBUG { - // Debug is enabled, allow - // serving things from localhost - // as well (regardless of port). - policy += " localhost:* ws://localhost:*" - } - - // Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src - policy += "; object-src 'none'" - - s3Endpoint := config.GetStorageS3Endpoint() - if s3Endpoint == "" || config.GetStorageS3Proxy() { - // S3 not configured or in proxy mode, just allow images from self and blob: - policy += "; img-src 'self' blob:" - return policy } - - // S3 is on and in non-proxy mode, so we need to add the S3 host to - // the policy to allow images and video to be pulled from there too. - - // If secure is false, - // use 'http' scheme. - scheme := "https" - if !config.GetStorageS3UseSSL() { - scheme = "http" - } - - // Construct endpoint URL. - s3EndpointURLStr := scheme + "://" + s3Endpoint - - // When object storage is in use in non-proxied mode, GtS still serves some - // assets itself like the logo, so keep 'self' in there. That should also - // handle any redirects from the fileserver to object storage. - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src - policy += "; img-src 'self' blob: " + s3EndpointURLStr - - // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src - policy += "; media-src 'self' " + s3EndpointURLStr - - return policy } |