Allow to define custom HTTP headers per each frontend
This commit is contained in:
parent
133644dfa2
commit
7fcaa188a0
@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||||||
- OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
|
- OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
|
||||||
- Ability to set ActivityPub aliases for follower migration.
|
- Ability to set ActivityPub aliases for follower migration.
|
||||||
- Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
|
- Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
|
||||||
- Ability to set the `Service-Worker-Allowed` header
|
- Ability to define custom HTTP headers per each frontend
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
<summary>API Changes</summary>
|
<summary>API Changes</summary>
|
||||||
|
@ -723,7 +723,10 @@ config :pleroma, :frontends,
|
|||||||
"git" => "https://git.pleroma.social/pleroma/fedi-fe",
|
"git" => "https://git.pleroma.social/pleroma/fedi-fe",
|
||||||
"build_url" =>
|
"build_url" =>
|
||||||
"https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build",
|
"https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build",
|
||||||
"ref" => "master"
|
"ref" => "master",
|
||||||
|
"custom-http-headers" => [
|
||||||
|
{"service-worker-allowed", "/"}
|
||||||
|
]
|
||||||
},
|
},
|
||||||
"admin-fe" => %{
|
"admin-fe" => %{
|
||||||
"name" => "admin-fe",
|
"name" => "admin-fe",
|
||||||
|
@ -60,6 +60,12 @@ frontend_options = [
|
|||||||
label: "Build directory",
|
label: "Build directory",
|
||||||
type: :string,
|
type: :string,
|
||||||
description: "The directory inside the zip file "
|
description: "The directory inside the zip file "
|
||||||
|
},
|
||||||
|
%{
|
||||||
|
key: "custom-http-headers",
|
||||||
|
label: "Custom HTTP headers",
|
||||||
|
type: {:list, :string},
|
||||||
|
description: "The custom HTTP headers for the frontend"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|
||||||
@ -1749,14 +1755,6 @@ config :pleroma, :config_description, [
|
|||||||
type: :string,
|
type: :string,
|
||||||
description: "Adds the specified URL to report-uri and report-to group in CSP header",
|
description: "Adds the specified URL to report-uri and report-to group in CSP header",
|
||||||
suggestions: ["https://example.com/report-uri"]
|
suggestions: ["https://example.com/report-uri"]
|
||||||
},
|
|
||||||
%{
|
|
||||||
key: :service_worker_allowed,
|
|
||||||
label: "The Service-Worker-Allowed header",
|
|
||||||
type: :string,
|
|
||||||
description:
|
|
||||||
"Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
|
|
||||||
suggestions: ["/"]
|
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
@ -20,10 +20,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
|
|||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
defp headers do
|
def primary_frontend do
|
||||||
|
with %{"name" => frontend} <- Config.get([:frontends, :primary]),
|
||||||
|
available <- Config.get([:frontends, :available]),
|
||||||
|
%{} = primary_frontend <- Map.get(available, frontend) do
|
||||||
|
{:ok, primary_frontend}
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def custom_http_frontend_headers do
|
||||||
|
with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do
|
||||||
|
custom_headers
|
||||||
|
else
|
||||||
|
_ -> []
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
def headers do
|
||||||
referrer_policy = Config.get([:http_security, :referrer_policy])
|
referrer_policy = Config.get([:http_security, :referrer_policy])
|
||||||
report_uri = Config.get([:http_security, :report_uri])
|
report_uri = Config.get([:http_security, :report_uri])
|
||||||
service_worker_allowed = Config.get([:http_security, :service_worker_allowed])
|
custom_http_frontend_headers = custom_http_frontend_headers()
|
||||||
|
|
||||||
headers = [
|
headers = [
|
||||||
{"x-xss-protection", "1; mode=block"},
|
{"x-xss-protection", "1; mode=block"},
|
||||||
@ -36,8 +52,8 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
|
|||||||
]
|
]
|
||||||
|
|
||||||
headers =
|
headers =
|
||||||
if service_worker_allowed do
|
if custom_http_frontend_headers do
|
||||||
[{"service-worker-allowed", service_worker_allowed} | headers]
|
custom_http_frontend_headers ++ headers
|
||||||
else
|
else
|
||||||
headers
|
headers
|
||||||
end
|
end
|
||||||
|
@ -75,7 +75,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
|
|||||||
|
|
||||||
test "it sets the Service-Worker-Allowed header", %{conn: conn} do
|
test "it sets the Service-Worker-Allowed header", %{conn: conn} do
|
||||||
clear_config([:http_security, :enabled], true)
|
clear_config([:http_security, :enabled], true)
|
||||||
clear_config([:http_security, :service_worker_allowed], "/")
|
clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
|
||||||
|
|
||||||
|
clear_config([:frontends, :available], %{
|
||||||
|
"fedi-fe" => %{
|
||||||
|
"name" => "fedi-fe",
|
||||||
|
"custom-http-headers" => [{"service-worker-allowed", "/"}]
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
conn = get(conn, "/api/v1/instance")
|
conn = get(conn, "/api/v1/instance")
|
||||||
assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
|
assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
|
||||||
|
Loading…
Reference in New Issue
Block a user