From 00e58c60cd59882199a7e378416a279de2b5212d Mon Sep 17 00:00:00 2001 From: tobi Date: Thu, 22 May 2025 12:34:39 +0200 Subject: [feature] Add ListenBrainz functionality on the web view (#4184) This pull request adds a very simple ad-hoc ListenBrainz widget to the frontend web view, with progressive enhancement (in all fail states it just falls back to rendering the field as normal). This necessitated adding the ListenBrainz API endpoint to the `connect-src` part of our Content-Security-Policy header. We might want to tweak this to only add that endpoint to `connect-src` for profiles, and then only for profiles that include a ListenBrainz field, but this would require significant dicking about with the middleware, and checks inside the app logic, such that it might not be worthwhile (after all, we control all the scripts right now anyway). Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4184 Co-authored-by: tobi Co-committed-by: tobi --- internal/middleware/contentsecuritypolicy.go | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) (limited to 'internal/middleware/contentsecuritypolicy.go') diff --git a/internal/middleware/contentsecuritypolicy.go b/internal/middleware/contentsecuritypolicy.go index fb35c3a08..eb5168376 100644 --- a/internal/middleware/contentsecuritypolicy.go +++ b/internal/middleware/contentsecuritypolicy.go @@ -37,6 +37,7 @@ func ContentSecurityPolicy(extraURIs ...string) gin.HandlerFunc { func BuildContentSecurityPolicy(extraURIs ...string) string { const ( defaultSrc = "default-src" + connectSrc = "connect-src" objectSrc = "object-src" imgSrc = "img-src" mediaSrc = "media-src" @@ -48,7 +49,7 @@ func BuildContentSecurityPolicy(extraURIs ...string) string { ) // CSP values keyed by directive. - values := make(map[string][]string, 4) + values := make(map[string][]string, 5) /* default-src @@ -69,6 +70,16 @@ func BuildContentSecurityPolicy(extraURIs ...string) string { } } + /* + connect-src + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src + */ + + // Restrictive default policy, but + // include ListenBrainz API for fields. + const listenBrains = "https://api.listenbrainz.org/1/user/" + values[connectSrc] = append(values[defaultSrc], listenBrains) //nolint + /* object-src https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src @@ -118,9 +129,10 @@ func BuildContentSecurityPolicy(extraURIs ...string) string { // Iterate through an ordered slice rather than // iterating through the map, since we want these // policyDirectives in a determinate order. - policyDirectives := make([]string, 4) + policyDirectives := make([]string, 5) for i, directive := range []string{ defaultSrc, + connectSrc, objectSrc, imgSrc, mediaSrc, -- cgit v1.2.3