Relax CSP on development error pages (#238)

This commit is contained in:
liamwhite 2024-04-28 14:09:08 -04:00 committed by GitHub
parent b1a23292fa
commit 77548057e8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 15 additions and 1 deletions

View file

@ -134,10 +134,16 @@ if config_env() == :prod do
url: [host: System.fetch_env!("APP_HOSTNAME"), scheme: "https", port: 443], url: [host: System.fetch_env!("APP_HOSTNAME"), scheme: "https", port: 443],
secret_key_base: System.fetch_env!("SECRET_KEY_BASE"), secret_key_base: System.fetch_env!("SECRET_KEY_BASE"),
server: not is_nil(System.get_env("START_ENDPOINT")) server: not is_nil(System.get_env("START_ENDPOINT"))
# Do not relax CSP in production
config :philomena, csp_relaxed: false
else else
# Don't send email in development # Don't send email in development
config :philomena, Philomena.Mailer, adapter: Bamboo.LocalAdapter config :philomena, Philomena.Mailer, adapter: Bamboo.LocalAdapter
# Use this to debug slime templates # Use this to debug slime templates
# config :slime, :keep_lines, true # config :slime, :keep_lines, true
# Relax CSP rules in development and test servers
config :philomena, csp_relaxed: true
end end

View file

@ -41,7 +41,13 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
|> Enum.map(&cspify_element/1) |> Enum.map(&cspify_element/1)
|> Enum.join("; ") |> Enum.join("; ")
if conn.status == 500 and allow_relaxed_csp() do
# Allow Plug.Debugger to function in this case
delete_resp_header(conn, "content-security-policy")
else
# Enforce CSP otherwise
put_resp_header(conn, "content-security-policy", csp_value) put_resp_header(conn, "content-security-policy", csp_value)
end
end) end)
end end
@ -69,4 +75,6 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
Enum.join([key | value], " ") Enum.join([key | value], " ")
end end
defp allow_relaxed_csp, do: Application.get_env(:philomena, :csp_relaxed, false)
end end