Merge branch 'homepage-webperf' into 'main'

Fix building CSP policy

See merge request framasoft/mobilizon!1321
This commit is contained in:
Thomas Citharel 2022-11-04 16:18:29 +00:00
commit 8e0f6bd173
7 changed files with 30 additions and 13 deletions

View file

@ -368,7 +368,7 @@ config :mobilizon, Mobilizon.Service.GlobalSearch,
config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon, config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon,
endpoint: "https://search.joinmobilizon.org", endpoint: "https://search.joinmobilizon.org",
csp_policy: [ csp_policy: [
img_src: "search.joinmobilizon.org" img_src: ["search.joinmobilizon.org"]
] ]
# Import environment specific config. This must remain at the bottom # Import environment specific config. This must remain at the bottom

View file

@ -29,7 +29,7 @@
width="384" width="384"
height="384" height="384"
alt="" alt=""
loading="lazy" :loading="imageLazy ? 'lazy' : undefined"
/> />
</picture> </picture>
<p <p
@ -71,9 +71,11 @@ withDefaults(
defineProps<{ defineProps<{
category: CategoryStatsModel; category: CategoryStatsModel;
withDetails?: boolean; withDetails?: boolean;
imageLazy?: boolean;
}>(), }>(),
{ {
withDetails: false, withDetails: false,
imageLazy: true,
} }
); );

View file

@ -7,6 +7,7 @@
:key="category.key" :key="category.key"
:category="category" :category="category"
:with-details="false" :with-details="false"
:imageLazy="false"
/> />
<router-link <router-link
:to="{ name: RouteName.CATEGORIES }" :to="{ name: RouteName.CATEGORIES }"

View file

@ -17,6 +17,7 @@
:class="imageOpacity" :class="imageOpacity"
alt="" alt=""
src="" src=""
loading="lazy"
/> />
</div> </div>
</div> </div>

View file

@ -428,6 +428,7 @@ uploadMediaDone(({ data }) => {
.focus() .focus()
.setImage({ .setImage({
src: data.uploadMedia.url, src: data.uploadMedia.url,
alt: '',
// eslint-disable-next-line @typescript-eslint/ban-ts-comment // eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore // @ts-ignore
"data-media-id": data.uploadMedia.id, "data-media-id": data.uploadMedia.id,

View file

@ -119,13 +119,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
font_src = [@font_src] ++ [get_csp_config(:font_src, options)] font_src = [@font_src] ++ [get_csp_config(:font_src, options)]
frame_src = if Config.get(:env) == :dev, do: "frame-src 'self' ", else: "frame-src 'none' " frame_src = build_csp_field(:frame_src, options)
frame_src = [frame_src] ++ [get_csp_config(:frame_src, options)] frame_ancestors = build_csp_field(:frame_ancestors, options)
frame_ancestors =
if Config.get(:env) == :dev, do: "frame-ancestors 'self' ", else: "frame-ancestors 'none' "
frame_ancestors = [frame_ancestors] ++ [get_csp_config(:frame_ancestors, options)]
report = if report_uri, do: ["report-uri ", report_uri, " ; report-to csp-endpoint"] report = if report_uri, do: ["report-uri ", report_uri, " ; report-to csp-endpoint"]
insecure = if scheme == "https", do: "upgrade-insecure-requests" insecure = if scheme == "https", do: "upgrade-insecure-requests"
@ -162,9 +157,9 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
@spec get_csp_config(atom(), Keyword.t()) :: iodata() @spec get_csp_config(atom(), Keyword.t()) :: iodata()
defp get_csp_config(type, options) do defp get_csp_config(type, options) do
config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type])) config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type]))
front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])] front_end_analytics_policy = Keyword.get(FrontEndAnalytics.csp(), type, [])
global_search_policy = [Keyword.get(GlobalSearch.service().csp(), type, [])] global_search_policy = Keyword.get(GlobalSearch.service().csp(), type, [])
pictures_policy = [Keyword.get(Pictures.service().csp(), type, [])] pictures_policy = Keyword.get(Pictures.service().csp(), type, [])
resource_providers = Config.get([Mobilizon.Service.ResourceProviders, :csp_policy, type], []) resource_providers = Config.get([Mobilizon.Service.ResourceProviders, :csp_policy, type], [])
@ -175,4 +170,21 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
" " " "
) )
end end
defp build_csp_field(type, options) do
csp_config = get_csp_config(type, options)
csp_config =
if Config.get(:env) == :dev do
[csp_config] ++ ["'self'"]
else
if csp_config == "" do
["'none'"]
else
[csp_config]
end
end
Enum.join([type |> to_string() |> String.replace("_", "-")] ++ csp_config, " ")
end
end end

View file

@ -93,7 +93,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlugTest do
[csp] = Conn.get_resp_header(conn, "content-security-policy") [csp] = Conn.get_resp_header(conn, "content-security-policy")
assert csp =~ assert csp =~
~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' 'sha256-[\w+\/=]*' example.com matomo.example.com\s+;/ ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' 'sha256-[\w+\/=]*' example.com matomo.example.com;/
end end
end end