Merge branch 'homepage-webperf' into 'main'

Fix building CSP policy See merge request framasoft/mobilizon!1321
2022-11-04 16:18:29 +00:00 · 2022-11-04 16:18:29 +00:00 · 8e0f6bd173
parent d8434ca3d3 bc81b1830d
commit 8e0f6bd173
7 changed files with 30 additions and 13 deletions
--- a/config/config.exs
+++ b/config/config.exs
@ -368,7 +368,7 @@ config :mobilizon, Mobilizon.Service.GlobalSearch,
 config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon,
  endpoint: "https://search.joinmobilizon.org",
  csp_policy: [
-    img_src: "search.joinmobilizon.org"
+    img_src: ["search.joinmobilizon.org"]
  ]

 # Import environment specific config. This must remain at the bottom
--- a/js/src/components/Categories/CategoryCard.vue
+++ b/js/src/components/Categories/CategoryCard.vue
@ -29,7 +29,7 @@
        width="384"
        height="384"
        alt=""
-        loading="lazy"
+        :loading="imageLazy ? 'lazy' : undefined"
      />
    </picture>
    <p
@ -71,9 +71,11 @@ withDefaults(
  defineProps<{
    category: CategoryStatsModel;
    withDetails?: boolean;
+    imageLazy?: boolean;
  }>(),
  {
    withDetails: false,
+    imageLazy: true,
  }
 );

--- a/js/src/components/Home/CategoriesPreview.vue
+++ b/js/src/components/Home/CategoriesPreview.vue
@ -7,6 +7,7 @@
      :key="category.key"
      :category="category"
      :with-details="false"
+      :imageLazy="false"
    />
    <router-link
      :to="{ name: RouteName.CATEGORIES }"
--- a/js/src/components/Image/LazyImage.vue
+++ b/js/src/components/Image/LazyImage.vue
@ -17,6 +17,7 @@
        :class="imageOpacity"
        alt=""
        src=""
+        loading="lazy"
      />
    </div>
  </div>
--- a/js/src/components/TextEditor.vue
+++ b/js/src/components/TextEditor.vue
@ -428,6 +428,7 @@ uploadMediaDone(({ data }) => {
      .focus()
      .setImage({
        src: data.uploadMedia.url,
+        alt: '',
        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
        // @ts-ignore
        "data-media-id": data.uploadMedia.id,
--- a/lib/web/plugs/http_security_plug.ex
+++ b/lib/web/plugs/http_security_plug.ex
@ -119,13 +119,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do

    font_src = [@font_src] ++ [get_csp_config(:font_src, options)]

-    frame_src = if Config.get(:env) == :dev, do: "frame-src 'self' ", else: "frame-src 'none' "
-    frame_src = [frame_src] ++ [get_csp_config(:frame_src, options)]
-
-    frame_ancestors =
-      if Config.get(:env) == :dev, do: "frame-ancestors 'self' ", else: "frame-ancestors 'none' "
-
-    frame_ancestors = [frame_ancestors] ++ [get_csp_config(:frame_ancestors, options)]
+    frame_src = build_csp_field(:frame_src, options)
+    frame_ancestors = build_csp_field(:frame_ancestors, options)

    report = if report_uri, do: ["report-uri ", report_uri, " ; report-to csp-endpoint"]
    insecure = if scheme == "https", do: "upgrade-insecure-requests"
@ -162,9 +157,9 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
  @spec get_csp_config(atom(), Keyword.t()) :: iodata()
  defp get_csp_config(type, options) do
    config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type]))
-    front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])]
-    global_search_policy = [Keyword.get(GlobalSearch.service().csp(), type, [])]
-    pictures_policy = [Keyword.get(Pictures.service().csp(), type, [])]
+    front_end_analytics_policy = Keyword.get(FrontEndAnalytics.csp(), type, [])
+    global_search_policy = Keyword.get(GlobalSearch.service().csp(), type, [])
+    pictures_policy = Keyword.get(Pictures.service().csp(), type, [])

    resource_providers = Config.get([Mobilizon.Service.ResourceProviders, :csp_policy, type], [])

@ -175,4 +170,21 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
      " "
    )
  end
+
+  defp build_csp_field(type, options) do
+    csp_config = get_csp_config(type, options)
+
+    csp_config =
+      if Config.get(:env) == :dev do
+        [csp_config] ++ ["'self'"]
+      else
+        if csp_config == "" do
+          ["'none'"]
+        else
+          [csp_config]
+        end
+      end
+
+    Enum.join([type |> to_string() |> String.replace("_", "-")] ++ csp_config, " ")
+  end
 end
--- a/test/web/plugs/http_security_plug_test.exs
+++ b/test/web/plugs/http_security_plug_test.exs
@ -93,7 +93,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlugTest do
      [csp] = Conn.get_resp_header(conn, "content-security-policy")

      assert csp =~
-               ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' 'sha256-[\w+\/=]*' example.com matomo.example.com\s+;/
+               ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' 'sha256-[\w+\/=]*' example.com matomo.example.com;/
    end
  end