PonyMirrors/philomena
1
0
Fork 0
mirror of https://github.com/philomena-dev/philomena.git synced 2025-03-06 19:11:27 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #438 from MareStare/feat/relax-csp-in-dev-env

Browse source 
[Part 3] Relax CSP in dev env to allow for private IPs
This commit is contained in:
liamwhite 2025-03-04 19:33:01 -05:00 committed by GitHub
commit 8b3f11282f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
lib/philomena_web/plugs/content_security_policy_plug.ex
View file

@ -25,8 +25,8 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
csp_config = [ csp_config = [
{:default_src, ["'self'"]}, {:default_src, ["'self'"]},
{:script_src, [default_script_src() | script_src]}, {:script_src, [default_script_src(conn.host) | script_src]},
{:connect_src, [default_connect_src()]}, {:connect_src, [default_connect_src(conn.host)]},
{:style_src, [default_style_src() | style_src]}, {:style_src, [default_style_src() | style_src]},
{:object_src, ["'none'"]}, {:object_src, ["'none'"]},
{:frame_ancestors, ["'none'"]}, {:frame_ancestors, ["'none'"]},
@ -66,12 +66,18 @@ defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) |> to_uri() defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) |> to_uri()
defp camo_uri, do: Application.get_env(:philomena, :camo_host) |> to_uri() defp camo_uri, do: Application.get_env(:philomena, :camo_host) |> to_uri()
defp default_script_src, do: vite_hmr?(do: "'self' localhost:5173", else: "'self'") # Use the "current host" in vite HMR mode for whatever the "current host" is.
# Usually it's `localhost`, but it may be some other private IP address, that
defp default_connect_src, # you use to test the frontend on a mobile device connected via a local Wi-Fi.
do: vite_hmr?(do: "'self' localhost:5173 ws://localhost:5173", else: "'self'") vite_hmr? do
defp default_script_src(host), do: "'self' #{host}:5173"
defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'") defp default_connect_src(host), do: "'self' #{host}:5173 ws://#{host}:5173"
defp default_style_src, do: "'self' 'unsafe-inline'"
else
defp default_connect_src(_host), do: "'self'"
defp default_script_src(_host), do: "'self'"
defp default_style_src, do: "'self'"
end
defp to_uri(host) when host in [nil, ""], do: "" defp to_uri(host) when host in [nil, ""], do: ""
defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host}) defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host})