2019-12-06 18:41:02 +01:00
|
|
|
defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
|
|
|
|
|
alias Plug.Conn
|
|
|
|
|
|
|
|
|
|
def init([]) do
|
|
|
|
|
cdn_uri = cdn_uri()
|
|
|
|
|
camo_uri = camo_uri()
|
|
|
|
|
|
|
|
|
|
csp_value =
|
|
|
|
|
"default-src 'self' #{cdn_uri}; object-src 'none'; " <>
|
2020-01-11 05:20:19 +01:00
|
|
|
"frame-ancestors 'none'; frame-src 'none'; form-action 'self'; " <>
|
|
|
|
|
"manifest-src 'self'; img-src 'self' data: #{cdn_uri} #{camo_uri}; " <>
|
|
|
|
|
"block-all-mixed-content"
|
2019-12-06 18:41:02 +01:00
|
|
|
|
|
|
|
|
[csp_value: csp_value]
|
|
|
|
|
end
|
|
|
|
|
|
2020-01-11 05:20:19 +01:00
|
|
|
def call(conn, csp_value: csp_value) do
|
2019-12-24 01:20:24 +01:00
|
|
|
Conn.put_resp_header(conn, "content-security-policy", csp_value)
|
2019-12-06 18:41:02 +01:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) |> to_uri()
|
|
|
|
|
defp camo_uri, do: Application.get_env(:philomena, :camo_host) |> to_uri()
|
|
|
|
|
|
|
|
|
|
defp to_uri(host) when host in [nil, ""], do: ""
|
|
|
|
|
defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host})
|
2020-01-11 05:20:19 +01:00
|
|
|
end
|
