From 2d9b85d686aba3dc23d6c5d90576b13a3b3657ba Mon Sep 17 00:00:00 2001
From: "byte[]" <byteslice@airmail.cc>
Date: Fri, 6 Dec 2019 12:41:02 -0500
Subject: [PATCH] add csp, add global last button

---
 lib/philomena_web/endpoint.ex                 |  2 --
 .../plugs/content_security_policy_plug.ex     | 26 +++++++++++++++++++
 lib/philomena_web/router.ex                   |  1 +
 .../pagination/_pagination.html.slime         |  5 +---
 4 files changed, 28 insertions(+), 6 deletions(-)
 create mode 100644 lib/philomena_web/plugs/content_security_policy_plug.ex

diff --git a/lib/philomena_web/endpoint.ex b/lib/philomena_web/endpoint.ex
index c38e0b10..d1b8a71f 100644
--- a/lib/philomena_web/endpoint.ex
+++ b/lib/philomena_web/endpoint.ex
@@ -21,8 +21,6 @@ defmodule PhilomenaWeb.Endpoint do
   # Code reloading can be explicitly enabled under the
   # :code_reloader configuration of your endpoint.
   if code_reloading? do
-    socket "/phoenix/live_reload/socket", Phoenix.LiveReloader.Socket
-    plug Phoenix.LiveReloader
     plug Phoenix.CodeReloader
   end
 
diff --git a/lib/philomena_web/plugs/content_security_policy_plug.ex b/lib/philomena_web/plugs/content_security_policy_plug.ex
new file mode 100644
index 00000000..ea7236cc
--- /dev/null
+++ b/lib/philomena_web/plugs/content_security_policy_plug.ex
@@ -0,0 +1,26 @@
+defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
+  alias Plug.Conn
+
+  def init([]) do
+    cdn_uri = cdn_uri()
+    camo_uri = camo_uri()
+
+    csp_value =
+      "default-src 'self' #{cdn_uri}; object-src 'none'; " <>
+      "frame-ancestors 'none'; frame-src 'none'; form-action 'self'; " <>
+      "manifest-src 'self'; img-src 'self' data: #{cdn_uri} #{camo_uri}; " <>
+      "block-all-mixed-content"
+
+    [csp_value: csp_value]
+  end
+
+  def call(conn, [csp_value: csp_value]) do
+    Conn.put_resp_header(conn, "Content-Security-Policy", csp_value)
+  end
+
+  defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) |> to_uri()
+  defp camo_uri, do: Application.get_env(:philomena, :camo_host) |> to_uri()
+
+  defp to_uri(host) when host in [nil, ""], do: ""
+  defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host})
+end
\ No newline at end of file
diff --git a/lib/philomena_web/router.ex b/lib/philomena_web/router.ex
index 725610e0..ff38a85f 100644
--- a/lib/philomena_web/router.ex
+++ b/lib/philomena_web/router.ex
@@ -9,6 +9,7 @@ defmodule PhilomenaWeb.Router do
     plug :fetch_flash
     plug :protect_from_forgery
     plug :put_secure_browser_headers
+    plug PhilomenaWeb.ContentSecurityPolicyPlug
     plug PhilomenaWeb.CurrentFilterPlug
     plug PhilomenaWeb.ImageFilterPlug
     plug PhilomenaWeb.PaginationPlug
diff --git a/lib/philomena_web/templates/pagination/_pagination.html.slime b/lib/philomena_web/templates/pagination/_pagination.html.slime
index 6039ac2f..6f9e124d 100644
--- a/lib/philomena_web/templates/pagination/_pagination.html.slime
+++ b/lib/philomena_web/templates/pagination/_pagination.html.slime
@@ -1,5 +1,4 @@
 - params = assigns[:params] || []
-- last = assigns[:last] || false
 
 = if @page.total_pages > 1 do
   nav.pagination
@@ -25,6 +24,4 @@
 
     = if not last_page?(@page) do
       = link("Next ›", to: next_page_path(@page, @route, params), class: "js-next")
-
-      = if last do
-        = link("Last »", to: last_page_path(@page, @route, params))
\ No newline at end of file
+      = link("Last »", to: last_page_path(@page, @route, params))
\ No newline at end of file