Ability to set the Service-Worker-Allowed header

This commit is contained in:
eugenijm 2021-01-08 12:06:04 +03:00
parent d8860eaee4
commit 133644dfa2
4 changed files with 25 additions and 1 deletions

View File

@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
- Ability to set ActivityPub aliases for follower migration.
- Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
- Ability to set the `Service-Worker-Allowed` header
<details>
<summary>API Changes</summary>

View File

@ -1749,6 +1749,14 @@ config :pleroma, :config_description, [
type: :string,
description: "Adds the specified URL to report-uri and report-to group in CSP header",
suggestions: ["https://example.com/report-uri"]
},
%{
key: :service_worker_allowed,
label: "The Service-Worker-Allowed header",
type: :string,
description:
"Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
suggestions: ["/"]
}
]
},

View File

@ -23,6 +23,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
defp headers do
referrer_policy = Config.get([:http_security, :referrer_policy])
report_uri = Config.get([:http_security, :report_uri])
service_worker_allowed = Config.get([:http_security, :service_worker_allowed])
headers = [
{"x-xss-protection", "1; mode=block"},
@ -34,6 +35,13 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
{"content-security-policy", csp_string()}
]
headers =
if service_worker_allowed do
[{"service-worker-allowed", service_worker_allowed} | headers]
else
headers
end
if report_uri do
report_group = %{
"group" => "csp-endpoint",

View File

@ -72,6 +72,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
assert csp =~ "media-src 'self' https:;"
assert csp =~ "img-src 'self' data: blob: https:;"
end
test "it sets the Service-Worker-Allowed header", %{conn: conn} do
clear_config([:http_security, :enabled], true)
clear_config([:http_security, :service_worker_allowed], "/")
conn = get(conn, "/api/v1/instance")
assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
end
end
describe "img-src and media-src" do