Add some CSP headers
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
f0141c97e8
commit
b7915a6467
|
@ -4,6 +4,12 @@ defmodule Mobilizon.Web.Router do
|
||||||
"""
|
"""
|
||||||
use Mobilizon.Web, :router
|
use Mobilizon.Web, :router
|
||||||
|
|
||||||
|
@csp if Application.fetch_env!(:mobilizon, :env) != :dev,
|
||||||
|
do: "default-src 'self';",
|
||||||
|
else:
|
||||||
|
"default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
|
||||||
|
@headers %{"content-security-policy" => @csp}
|
||||||
|
|
||||||
pipeline :graphql do
|
pipeline :graphql do
|
||||||
# plug(:accepts, ["json"])
|
# plug(:accepts, ["json"])
|
||||||
plug(Mobilizon.Web.Auth.Pipeline)
|
plug(Mobilizon.Web.Auth.Pipeline)
|
||||||
|
@ -30,6 +36,7 @@ defmodule Mobilizon.Web.Router do
|
||||||
|
|
||||||
pipeline :activity_pub_and_html do
|
pipeline :activity_pub_and_html do
|
||||||
plug(:accepts, ["html", "activity-json"])
|
plug(:accepts, ["html", "activity-json"])
|
||||||
|
plug(:put_secure_browser_headers, @headers)
|
||||||
|
|
||||||
plug(Cldr.Plug.AcceptLanguage,
|
plug(Cldr.Plug.AcceptLanguage,
|
||||||
cldr_backend: Mobilizon.Cldr
|
cldr_backend: Mobilizon.Cldr
|
||||||
|
@ -37,6 +44,7 @@ defmodule Mobilizon.Web.Router do
|
||||||
end
|
end
|
||||||
|
|
||||||
pipeline :atom_and_ical do
|
pipeline :atom_and_ical do
|
||||||
|
plug(:put_secure_browser_headers, @headers)
|
||||||
plug(:accepts, ["atom", "ics", "html"])
|
plug(:accepts, ["atom", "ics", "html"])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -48,10 +56,7 @@ defmodule Mobilizon.Web.Router do
|
||||||
)
|
)
|
||||||
|
|
||||||
plug(:accepts, ["html"])
|
plug(:accepts, ["html"])
|
||||||
plug(:fetch_session)
|
plug(:put_secure_browser_headers, @headers)
|
||||||
plug(:fetch_flash)
|
|
||||||
plug(:protect_from_forgery)
|
|
||||||
plug(:put_secure_browser_headers)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
pipeline :remote_media do
|
pipeline :remote_media do
|
||||||
|
@ -158,6 +163,8 @@ defmodule Mobilizon.Web.Router do
|
||||||
get("/interact", PageController, :interact)
|
get("/interact", PageController, :interact)
|
||||||
|
|
||||||
get("/auth/:provider", AuthController, :request)
|
get("/auth/:provider", AuthController, :request)
|
||||||
|
# sobelow_skip ["Config.CSRFRoute"]
|
||||||
|
# Possibly related to https://github.com/ueberauth/ueberauth/issues/125
|
||||||
get("/auth/:provider/callback", AuthController, :callback)
|
get("/auth/:provider/callback", AuthController, :callback)
|
||||||
post("/auth/:provider/callback", AuthController, :callback)
|
post("/auth/:provider/callback", AuthController, :callback)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue