Ability to set the Service-Worker-Allowed header

This commit is contained in:
eugenijm 2021-01-08 12:06:04 +03:00
parent d8860eaee4
commit 133644dfa2
4 changed files with 25 additions and 1 deletions

View File

@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc. - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
- Ability to set ActivityPub aliases for follower migration. - Ability to set ActivityPub aliases for follower migration.
- Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
- Ability to set the `Service-Worker-Allowed` header
<details> <details>
<summary>API Changes</summary> <summary>API Changes</summary>

View File

@ -1749,6 +1749,14 @@
type: :string, type: :string,
description: "Adds the specified URL to report-uri and report-to group in CSP header", description: "Adds the specified URL to report-uri and report-to group in CSP header",
suggestions: ["https://example.com/report-uri"] suggestions: ["https://example.com/report-uri"]
},
%{
key: :service_worker_allowed,
label: "The Service-Worker-Allowed header",
type: :string,
description:
"Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
suggestions: ["/"]
} }
] ]
}, },

View File

@ -23,6 +23,7 @@ def call(conn, _options) do
defp headers do defp headers do
referrer_policy = Config.get([:http_security, :referrer_policy]) referrer_policy = Config.get([:http_security, :referrer_policy])
report_uri = Config.get([:http_security, :report_uri]) report_uri = Config.get([:http_security, :report_uri])
service_worker_allowed = Config.get([:http_security, :service_worker_allowed])
headers = [ headers = [
{"x-xss-protection", "1; mode=block"}, {"x-xss-protection", "1; mode=block"},
@ -34,6 +35,13 @@ defp headers do
{"content-security-policy", csp_string()} {"content-security-policy", csp_string()}
] ]
headers =
if service_worker_allowed do
[{"service-worker-allowed", service_worker_allowed} | headers]
else
headers
end
if report_uri do if report_uri do
report_group = %{ report_group = %{
"group" => "csp-endpoint", "group" => "csp-endpoint",

View File

@ -72,6 +72,14 @@ test "default values for img-src and media-src with disabled media proxy", %{con
assert csp =~ "media-src 'self' https:;" assert csp =~ "media-src 'self' https:;"
assert csp =~ "img-src 'self' data: blob: https:;" assert csp =~ "img-src 'self' data: blob: https:;"
end end
test "it sets the Service-Worker-Allowed header", %{conn: conn} do
clear_config([:http_security, :enabled], true)
clear_config([:http_security, :service_worker_allowed], "/")
conn = get(conn, "/api/v1/instance")
assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
end
end end
describe "img-src and media-src" do describe "img-src and media-src" do