tommy/mobilizon
1
0
Fork 0
forked from potsda.mn/mobilizon
Code Pull requests Activity

Provide an accept CSP policy for global search pictures

Browse source 
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2022-08-26 17:18:54 +02:00
parent 8812122168
commit 4db13046b7
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773
4 changed files with 21 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
config/config.exs
View file

@ -371,7 +371,10 @@ config :mobilizon, Mobilizon.Service.GlobalSearch,
service: Mobilizon.Service.GlobalSearch.SearchMobilizon
config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon,
endpoint: "https://search.joinmobilizon.org"
endpoint: "https://search.joinmobilizon.org",
csp_policy: [
img_src: "search.joinmobilizon.org"
]
# Import environment specific config. This must remain at the bottom
# of this file so it overrides the configuration defined above.

4
lib/service/global_search/provider.ex
View file

@ -32,6 +32,10 @@ defmodule Mobilizon.Service.GlobalSearch.Provider do
Page.t(EventResult.t())
@callback search_groups(search_options :: keyword) ::
Page.t(GroupResult.t())
@doc """
The CSP configuration to add for the service to work
"""
@callback csp() :: keyword()
@spec endpoint(atom()) :: String.t()
def endpoint(provider) do

10
lib/service/global_search/search_mobilizon.ex
View file

@ -113,6 +113,16 @@ defmodule Mobilizon.Service.GlobalSearch.SearchMobilizon do
end
end
@impl Provider
@doc """
Returns the CSP configuration for this search provider to work
"""
def csp do
:mobilizon
|> Application.get_env(__MODULE__, [])
|> Keyword.get(:csp_policy, [])
end
defp build_event(data) do
picture =
if data["banner"] do

4
lib/web/plugs/http_security_plug.ex
View file

@ -10,6 +10,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
alias Mobilizon.Config
alias Mobilizon.Service.FrontEndAnalytics
alias Mobilizon.Service.GlobalSearch
import Plug.Conn
require Logger
@ -139,7 +140,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
defp get_csp_config(type, options) do
config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type]))
front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])]
global_search_policy = [Keyword.get(GlobalSearch.service().csp(), type, [])]
Enum.join(config_policy ++ front_end_analytics_policy, " ")
Enum.join(config_policy ++ front_end_analytics_policy ++ global_search_policy, " ")
end
end