Provide an accept CSP policy for global search pictures

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2022-08-26 17:18:54 +02:00
parent 8812122168
commit 4db13046b7
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773
4 changed files with 21 additions and 2 deletions

View file

@ -371,7 +371,10 @@ config :mobilizon, Mobilizon.Service.GlobalSearch,
service: Mobilizon.Service.GlobalSearch.SearchMobilizon service: Mobilizon.Service.GlobalSearch.SearchMobilizon
config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon, config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon,
endpoint: "https://search.joinmobilizon.org" endpoint: "https://search.joinmobilizon.org",
csp_policy: [
img_src: "search.joinmobilizon.org"
]
# Import environment specific config. This must remain at the bottom # Import environment specific config. This must remain at the bottom
# of this file so it overrides the configuration defined above. # of this file so it overrides the configuration defined above.

View file

@ -32,6 +32,10 @@ defmodule Mobilizon.Service.GlobalSearch.Provider do
Page.t(EventResult.t()) Page.t(EventResult.t())
@callback search_groups(search_options :: keyword) :: @callback search_groups(search_options :: keyword) ::
Page.t(GroupResult.t()) Page.t(GroupResult.t())
@doc """
The CSP configuration to add for the service to work
"""
@callback csp() :: keyword()
@spec endpoint(atom()) :: String.t() @spec endpoint(atom()) :: String.t()
def endpoint(provider) do def endpoint(provider) do

View file

@ -113,6 +113,16 @@ defmodule Mobilizon.Service.GlobalSearch.SearchMobilizon do
end end
end end
@impl Provider
@doc """
Returns the CSP configuration for this search provider to work
"""
def csp do
:mobilizon
|> Application.get_env(__MODULE__, [])
|> Keyword.get(:csp_policy, [])
end
defp build_event(data) do defp build_event(data) do
picture = picture =
if data["banner"] do if data["banner"] do

View file

@ -10,6 +10,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
alias Mobilizon.Config alias Mobilizon.Config
alias Mobilizon.Service.FrontEndAnalytics alias Mobilizon.Service.FrontEndAnalytics
alias Mobilizon.Service.GlobalSearch
import Plug.Conn import Plug.Conn
require Logger require Logger
@ -139,7 +140,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
defp get_csp_config(type, options) do defp get_csp_config(type, options) do
config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type])) config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type]))
front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])] front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])]
global_search_policy = [Keyword.get(GlobalSearch.service().csp(), type, [])]
Enum.join(config_policy ++ front_end_analytics_policy, " ") Enum.join(config_policy ++ front_end_analytics_policy ++ global_search_policy, " ")
end end
end end