mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-22 09:15:50 +03:00
[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109)
* update CSP header for blob images (upload preview) and dev livereload websocket * update csp for s3, update csp tests
This commit is contained in:
parent
8ea7f551a0
commit
912a104aed
2 changed files with 17 additions and 20 deletions
|
@ -54,19 +54,16 @@ func BuildContentSecurityPolicy() string {
|
||||||
// Debug is enabled, allow
|
// Debug is enabled, allow
|
||||||
// serving things from localhost
|
// serving things from localhost
|
||||||
// as well (regardless of port).
|
// as well (regardless of port).
|
||||||
policy += " localhost:*"
|
policy += " localhost:* ws://localhost:*"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
|
||||||
|
policy += "; object-src 'none'"
|
||||||
|
|
||||||
s3Endpoint := config.GetStorageS3Endpoint()
|
s3Endpoint := config.GetStorageS3Endpoint()
|
||||||
if s3Endpoint == "" {
|
if s3Endpoint == "" || config.GetStorageS3Proxy() {
|
||||||
// S3 not configured,
|
// S3 not configured or in proxy mode, just allow images from self and blob:
|
||||||
// default policy is OK.
|
policy += "; img-src 'self' blob:"
|
||||||
return policy
|
|
||||||
}
|
|
||||||
|
|
||||||
if config.GetStorageS3Proxy() {
|
|
||||||
// S3 is configured in proxy
|
|
||||||
// mode, default policy is OK.
|
|
||||||
return policy
|
return policy
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -88,7 +85,7 @@ func BuildContentSecurityPolicy() string {
|
||||||
// handle any redirects from the fileserver to object storage.
|
// handle any redirects from the fileserver to object storage.
|
||||||
|
|
||||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
||||||
policy += "; img-src 'self' " + s3EndpointURLStr
|
policy += "; img-src 'self' blob: " + s3EndpointURLStr
|
||||||
|
|
||||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
|
||||||
policy += "; media-src 'self' " + s3EndpointURLStr
|
policy += "; media-src 'self' " + s3EndpointURLStr
|
||||||
|
|
|
@ -38,55 +38,55 @@ func TestBuildContentSecurityPolicy(t *testing.T) {
|
||||||
s3Endpoint: "",
|
s3Endpoint: "",
|
||||||
s3Proxy: false,
|
s3Proxy: false,
|
||||||
s3Secure: false,
|
s3Secure: false,
|
||||||
expected: "default-src 'self'",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "some-bucket-provider.com",
|
s3Endpoint: "some-bucket-provider.com",
|
||||||
s3Proxy: false,
|
s3Proxy: false,
|
||||||
s3Secure: true,
|
s3Secure: true,
|
||||||
expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "some-bucket-provider.com:6969",
|
s3Endpoint: "some-bucket-provider.com:6969",
|
||||||
s3Proxy: false,
|
s3Proxy: false,
|
||||||
s3Secure: true,
|
s3Secure: true,
|
||||||
expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "some-bucket-provider.com:6969",
|
s3Endpoint: "some-bucket-provider.com:6969",
|
||||||
s3Proxy: false,
|
s3Proxy: false,
|
||||||
s3Secure: false,
|
s3Secure: false,
|
||||||
expected: "default-src 'self'; img-src 'self' http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "s3.nl-ams.scw.cloud",
|
s3Endpoint: "s3.nl-ams.scw.cloud",
|
||||||
s3Proxy: false,
|
s3Proxy: false,
|
||||||
s3Secure: true,
|
s3Secure: true,
|
||||||
expected: "default-src 'self'; img-src 'self' https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob: https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "some-bucket-provider.com",
|
s3Endpoint: "some-bucket-provider.com",
|
||||||
s3Proxy: true,
|
s3Proxy: true,
|
||||||
s3Secure: true,
|
s3Secure: true,
|
||||||
expected: "default-src 'self'",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "some-bucket-provider.com:6969",
|
s3Endpoint: "some-bucket-provider.com:6969",
|
||||||
s3Proxy: true,
|
s3Proxy: true,
|
||||||
s3Secure: true,
|
s3Secure: true,
|
||||||
expected: "default-src 'self'",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "some-bucket-provider.com:6969",
|
s3Endpoint: "some-bucket-provider.com:6969",
|
||||||
s3Proxy: true,
|
s3Proxy: true,
|
||||||
s3Secure: true,
|
s3Secure: true,
|
||||||
expected: "default-src 'self'",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
s3Endpoint: "s3.nl-ams.scw.cloud",
|
s3Endpoint: "s3.nl-ams.scw.cloud",
|
||||||
s3Proxy: true,
|
s3Proxy: true,
|
||||||
s3Secure: true,
|
s3Secure: true,
|
||||||
expected: "default-src 'self'",
|
expected: "default-src 'self'; object-src 'none'; img-src 'self' blob:",
|
||||||
},
|
},
|
||||||
} {
|
} {
|
||||||
config.SetStorageS3Endpoint(test.s3Endpoint)
|
config.SetStorageS3Endpoint(test.s3Endpoint)
|
||||||
|
|
Loading…
Reference in a new issue