From 4db13046b77322fc4258afcbd2197ad7b2ff27e4 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Fri, 26 Aug 2022 17:18:54 +0200 Subject: [PATCH] Provide an accept CSP policy for global search pictures Signed-off-by: Thomas Citharel --- config/config.exs | 5 ++++- lib/service/global_search/provider.ex | 4 ++++ lib/service/global_search/search_mobilizon.ex | 10 ++++++++++ lib/web/plugs/http_security_plug.ex | 4 +++- 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/config/config.exs b/config/config.exs index 3651b9d6a..1ebf3e65a 100644 --- a/config/config.exs +++ b/config/config.exs @@ -371,7 +371,10 @@ config :mobilizon, Mobilizon.Service.GlobalSearch, service: Mobilizon.Service.GlobalSearch.SearchMobilizon config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon, - endpoint: "https://search.joinmobilizon.org" + endpoint: "https://search.joinmobilizon.org", + csp_policy: [ + img_src: "search.joinmobilizon.org" + ] # Import environment specific config. This must remain at the bottom # of this file so it overrides the configuration defined above. diff --git a/lib/service/global_search/provider.ex b/lib/service/global_search/provider.ex index f936e0680..18ef92847 100644 --- a/lib/service/global_search/provider.ex +++ b/lib/service/global_search/provider.ex @@ -32,6 +32,10 @@ defmodule Mobilizon.Service.GlobalSearch.Provider do Page.t(EventResult.t()) @callback search_groups(search_options :: keyword) :: Page.t(GroupResult.t()) + @doc """ + The CSP configuration to add for the service to work + """ + @callback csp() :: keyword() @spec endpoint(atom()) :: String.t() def endpoint(provider) do diff --git a/lib/service/global_search/search_mobilizon.ex b/lib/service/global_search/search_mobilizon.ex index 435b5b83c..479fbddf7 100644 --- a/lib/service/global_search/search_mobilizon.ex +++ b/lib/service/global_search/search_mobilizon.ex @@ -113,6 +113,16 @@ defmodule Mobilizon.Service.GlobalSearch.SearchMobilizon do end end + @impl Provider + @doc """ + Returns the CSP configuration for this search provider to work + """ + def csp do + :mobilizon + |> Application.get_env(__MODULE__, []) + |> Keyword.get(:csp_policy, []) + end + defp build_event(data) do picture = if data["banner"] do diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex index 9345d8bc4..b18c85d14 100644 --- a/lib/web/plugs/http_security_plug.ex +++ b/lib/web/plugs/http_security_plug.ex @@ -10,6 +10,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do alias Mobilizon.Config alias Mobilizon.Service.FrontEndAnalytics + alias Mobilizon.Service.GlobalSearch import Plug.Conn require Logger @@ -139,7 +140,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do defp get_csp_config(type, options) do config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type])) front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])] + global_search_policy = [Keyword.get(GlobalSearch.service().csp(), type, [])] - Enum.join(config_policy ++ front_end_analytics_policy, " ") + Enum.join(config_policy ++ front_end_analytics_policy ++ global_search_policy, " ") end end