From b7915a6467f2f1f009763c378a1d4200b44fd0ae Mon Sep 17 00:00:00 2001
From: Thomas Citharel <tcit@tcit.fr>
Date: Fri, 22 Jan 2021 18:15:21 +0100
Subject: [PATCH] Add some CSP headers
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
---
lib/web/router.ex | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/lib/web/router.ex b/lib/web/router.ex
index 76bde3ceb..b8aa2690e 100644
--- a/lib/web/router.ex
+++ b/lib/web/router.ex
@@ -4,6 +4,12 @@ defmodule Mobilizon.Web.Router do
"""
use Mobilizon.Web, :router
+ @csp if Application.fetch_env!(:mobilizon, :env) != :dev,
+ do: "default-src 'self';",
+ else:
+ "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
+ @headers %{"content-security-policy" => @csp}
+
pipeline :graphql do
# plug(:accepts, ["json"])
plug(Mobilizon.Web.Auth.Pipeline)
@@ -30,6 +36,7 @@ defmodule Mobilizon.Web.Router do
pipeline :activity_pub_and_html do
plug(:accepts, ["html", "activity-json"])
+ plug(:put_secure_browser_headers, @headers)
plug(Cldr.Plug.AcceptLanguage,
cldr_backend: Mobilizon.Cldr
@@ -37,6 +44,7 @@ defmodule Mobilizon.Web.Router do
end
pipeline :atom_and_ical do
+ plug(:put_secure_browser_headers, @headers)
plug(:accepts, ["atom", "ics", "html"])
end
@@ -48,10 +56,7 @@ defmodule Mobilizon.Web.Router do
)
plug(:accepts, ["html"])
- plug(:fetch_session)
- plug(:fetch_flash)
- plug(:protect_from_forgery)
- plug(:put_secure_browser_headers)
+ plug(:put_secure_browser_headers, @headers)
end
pipeline :remote_media do
@@ -158,6 +163,8 @@ defmodule Mobilizon.Web.Router do
get("/interact", PageController, :interact)
get("/auth/:provider", AuthController, :request)
+ # sobelow_skip ["Config.CSRFRoute"]
+ # Possibly related to https://github.com/ueberauth/ueberauth/issues/125
get("/auth/:provider/callback", AuthController, :callback)
post("/auth/:provider/callback", AuthController, :callback)
end