philomena/lib/philomena_web/plugs/content_security_policy_plug.ex

defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
  import PhilomenaWeb.Config
  import Plug.Conn

  @allowed_sources [
    :script_src,
    :frame_src,
    :style_src
  ]

  def init(opts) do
    opts
  end

  def call(conn, _opts) do
    cdn_uri = cdn_uri()
    camo_uri = camo_uri()

    register_before_send(conn, fn conn ->
      config = get_config(conn)

      script_src = Keyword.get(config, :script_src, [])
      style_src = Keyword.get(config, :style_src, [])
      frame_src = Keyword.get(config, :frame_src, nil)

      csp_config = [
        {:default_src, ["'self'"]},
        {:script_src, [default_script_src() | script_src]},
        {:connect_src, [default_connect_src()]},
        {:style_src, [default_style_src() | style_src]},
        {:object_src, ["'none'"]},
        {:frame_ancestors, ["'none'"]},
        {:frame_src, frame_src || ["'none'"]},
        {:form_action, ["'self'"]},
        {:manifest_src, ["'self'"]},
        {:img_src, ["'self'", "blob:", "data:", cdn_uri, camo_uri]},
        {:media_src, ["'self'", "blob:", "data:", cdn_uri, camo_uri]}
      ]

      csp_value = Enum.map_join(csp_config, "; ", &cspify_element/1)

      csp_relaxed? do
        if conn.status == 500 do
          # Allow Plug.Debugger to function in this case
          delete_resp_header(conn, "content-security-policy")
        else
          # Enforce CSP otherwise
          put_resp_header(conn, "content-security-policy", csp_value)
        end
      else
        put_resp_header(conn, "content-security-policy", csp_value)
      end
    end)
  end

  def permit_source(conn, key, value) when key in @allowed_sources do
    conn
    |> get_config()
    |> Keyword.update(key, value, &(value ++ &1))
    |> set_config(conn)
  end

  defp get_config(conn), do: conn.private[:csp] || []
  defp set_config(value, conn), do: put_private(conn, :csp, value)

  defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) |> to_uri()
  defp camo_uri, do: Application.get_env(:philomena, :camo_host) |> to_uri()

  defp default_script_src, do: vite_hmr?(do: "'self' localhost:5173", else: "'self'")

  defp default_connect_src,
    do: vite_hmr?(do: "'self' localhost:5173 ws://localhost:5173", else: "'self'")

  defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'")

  defp to_uri(host) when host in [nil, ""], do: ""
  defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host})

  defp cspify_element({key, value}) do
    key =
      key
      |> Atom.to_string()
      |> String.replace("_", "-")

    Enum.join([key | value], " ")
  end
end
add csp, add global last button 2019-12-06 18:41:02 +01:00			`defmodule PhilomenaWeb.ContentSecurityPolicyPlug do`
USe compile-time environment checks 2024-05-04 03:06:15 +02:00			`import PhilomenaWeb.Config`
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`import Plug.Conn`

			`@allowed_sources [`
			`:script_src,`
			`:frame_src,`
			`:style_src`
			`]`
add csp, add global last button 2019-12-06 18:41:02 +01:00
ensure CSP plug config happens at runtime, not compile time 2020-08-06 19:27:56 +02:00			`def init(opts) do`
			`opts`
			`end`

			`def call(conn, _opts) do`
add csp, add global last button 2019-12-06 18:41:02 +01:00			`cdn_uri = cdn_uri()`
			`camo_uri = camo_uri()`

allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`register_before_send(conn, fn conn ->`
			`config = get_config(conn)`

			`script_src = Keyword.get(config, :script_src, [])`
			`style_src = Keyword.get(config, :style_src, [])`
			`frame_src = Keyword.get(config, :frame_src, nil)`

			`csp_config = [`
strongly segregate domains of main site and ugc in security policy 2021-03-17 01:24:58 +01:00			`{:default_src, ["'self'"]},`
Vite HMR for JS/TS (and jankily for CSS) (#242) * prelim work on vite reload * the best solution to a problem is usually the easiest one 2024-04-30 19:13:46 +02:00			`{:script_src, [default_script_src() \| script_src]},`
			`{:connect_src, [default_connect_src()]},`
			`{:style_src, [default_style_src() \| style_src]},`
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`{:object_src, ["'none'"]},`
			`{:frame_ancestors, ["'none'"]},`
			`{:frame_src, frame_src \|\| ["'none'"]},`
			`{:form_action, ["'self'"]},`
			`{:manifest_src, ["'self'"]},`
Video upload previews (#141) 2021-10-06 03:31:50 +02:00			`{:img_src, ["'self'", "blob:", "data:", cdn_uri, camo_uri]},`
Remove obsolete block-all-mixed-content This was removed in all major browsers with no replacement. See https://www.w3.org/TR/mixed-content/#strict-checking for details on the obsolescence. 2024-06-23 17:52:20 +02:00			`{:media_src, ["'self'", "blob:", "data:", cdn_uri, camo_uri]}`
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`]`

Fix some credo issues 2024-06-25 05:23:43 +02:00			`csp_value = Enum.map_join(csp_config, "; ", &cspify_element/1)`
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00
USe compile-time environment checks 2024-05-04 03:06:15 +02:00			`csp_relaxed? do`
			`if conn.status == 500 do`
			`# Allow Plug.Debugger to function in this case`
			`delete_resp_header(conn, "content-security-policy")`
			`else`
			`# Enforce CSP otherwise`
			`put_resp_header(conn, "content-security-policy", csp_value)`
			`end`
Relax CSP on development error pages (#238) 2024-04-28 20:09:08 +02:00			`else`
			`put_resp_header(conn, "content-security-policy", csp_value)`
			`end`
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`end)`
			`end`
add csp, add global last button 2019-12-06 18:41:02 +01:00
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`def permit_source(conn, key, value) when key in @allowed_sources do`
			`conn`
			`\|> get_config()`
hCaptcha (#19) 2020-09-12 19:43:16 +02:00			`\|> Keyword.update(key, value, &(value ++ &1))`
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`\|> set_config(conn)`
add csp, add global last button 2019-12-06 18:41:02 +01:00			`end`

allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00			`defp get_config(conn), do: conn.private[:csp] \|\| []`
			`defp set_config(value, conn), do: put_private(conn, :csp, value)`

add csp, add global last button 2019-12-06 18:41:02 +01:00			`defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) \|> to_uri()`
			`defp camo_uri, do: Application.get_env(:philomena, :camo_host) \|> to_uri()`
Vite HMR for JS/TS (and jankily for CSS) (#242) * prelim work on vite reload * the best solution to a problem is usually the easiest one 2024-04-30 19:13:46 +02:00
USe compile-time environment checks 2024-05-04 03:06:15 +02:00			`defp default_script_src, do: vite_hmr?(do: "'self' localhost:5173", else: "'self'")`
Vite HMR for JS/TS (and jankily for CSS) (#242) * prelim work on vite reload * the best solution to a problem is usually the easiest one 2024-04-30 19:13:46 +02:00
			`defp default_connect_src,`
USe compile-time environment checks 2024-05-04 03:06:15 +02:00			`do: vite_hmr?(do: "'self' localhost:5173 ws://localhost:5173", else: "'self'")`
Vite HMR for JS/TS (and jankily for CSS) (#242) * prelim work on vite reload * the best solution to a problem is usually the easiest one 2024-04-30 19:13:46 +02:00
USe compile-time environment checks 2024-05-04 03:06:15 +02:00			`defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'")`
add csp, add global last button 2019-12-06 18:41:02 +01:00
			`defp to_uri(host) when host in [nil, ""], do: ""`
			`defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host})`
allow CSP customization on a per-controller basis 2020-08-24 00:30:58 +02:00
			`defp cspify_element({key, value}) do`
			`key =`
			`key`
			`\|> Atom.to_string()`
			`\|> String.replace("_", "-")`

			`Enum.join([key \| value], " ")`
			`end`
run formatter 2020-01-11 05:20:19 +01:00			`end`