mirror of
https://github.com/philomena-dev/philomena.git
synced 2024-11-23 20:18:00 +01:00
87 lines
2.5 KiB
Elixir
87 lines
2.5 KiB
Elixir
defmodule PhilomenaWeb.ContentSecurityPolicyPlug do
|
|
import PhilomenaWeb.Config
|
|
import Plug.Conn
|
|
|
|
@allowed_sources [
|
|
:script_src,
|
|
:frame_src,
|
|
:style_src
|
|
]
|
|
|
|
def init(opts) do
|
|
opts
|
|
end
|
|
|
|
def call(conn, _opts) do
|
|
cdn_uri = cdn_uri()
|
|
camo_uri = camo_uri()
|
|
|
|
register_before_send(conn, fn conn ->
|
|
config = get_config(conn)
|
|
|
|
script_src = Keyword.get(config, :script_src, [])
|
|
style_src = Keyword.get(config, :style_src, [])
|
|
frame_src = Keyword.get(config, :frame_src, nil)
|
|
|
|
csp_config = [
|
|
{:default_src, ["'self'"]},
|
|
{:script_src, [default_script_src() | script_src]},
|
|
{:connect_src, [default_connect_src()]},
|
|
{:style_src, [default_style_src() | style_src]},
|
|
{:object_src, ["'none'"]},
|
|
{:frame_ancestors, ["'none'"]},
|
|
{:frame_src, frame_src || ["'none'"]},
|
|
{:form_action, ["'self'"]},
|
|
{:manifest_src, ["'self'"]},
|
|
{:img_src, ["'self'", "blob:", "data:", cdn_uri, camo_uri]},
|
|
{:media_src, ["'self'", "blob:", "data:", cdn_uri, camo_uri]}
|
|
]
|
|
|
|
csp_value = Enum.map_join(csp_config, "; ", &cspify_element/1)
|
|
|
|
csp_relaxed? do
|
|
if conn.status == 500 do
|
|
# Allow Plug.Debugger to function in this case
|
|
delete_resp_header(conn, "content-security-policy")
|
|
else
|
|
# Enforce CSP otherwise
|
|
put_resp_header(conn, "content-security-policy", csp_value)
|
|
end
|
|
else
|
|
put_resp_header(conn, "content-security-policy", csp_value)
|
|
end
|
|
end)
|
|
end
|
|
|
|
def permit_source(conn, key, value) when key in @allowed_sources do
|
|
conn
|
|
|> get_config()
|
|
|> Keyword.update(key, value, &(value ++ &1))
|
|
|> set_config(conn)
|
|
end
|
|
|
|
defp get_config(conn), do: conn.private[:csp] || []
|
|
defp set_config(value, conn), do: put_private(conn, :csp, value)
|
|
|
|
defp cdn_uri, do: Application.get_env(:philomena, :cdn_host) |> to_uri()
|
|
defp camo_uri, do: Application.get_env(:philomena, :camo_host) |> to_uri()
|
|
|
|
defp default_script_src, do: vite_hmr?(do: "'self' localhost:5173", else: "'self'")
|
|
|
|
defp default_connect_src,
|
|
do: vite_hmr?(do: "'self' localhost:5173 ws://localhost:5173", else: "'self'")
|
|
|
|
defp default_style_src, do: vite_hmr?(do: "'self' 'unsafe-inline'", else: "'self'")
|
|
|
|
defp to_uri(host) when host in [nil, ""], do: ""
|
|
defp to_uri(host), do: URI.to_string(%URI{scheme: "https", host: host})
|
|
|
|
defp cspify_element({key, value}) do
|
|
key =
|
|
key
|
|
|> Atom.to_string()
|
|
|> String.replace("_", "-")
|
|
|
|
Enum.join([key | value], " ")
|
|
end
|
|
end
|