mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-25 02:35:57 +03:00
02d6e2e3bc
* Set frame-ancestors in the CSP This ensures we can't be loaded/embedded in an iframe. It also sets the older X-Frame-Options for fallback. * Disable MIME type sniffing * Set Referrer-Policy This sets the policy such that browsers will never send the Referer header along with a request, unless it's a request to the same protocol, host/domain and port. Basically, only send it when navigating through our own UI, but not anything external. The default is strict-origin-when-cross-origin when unset, which sends the Referer header for requests unless it's going from HTTPS to HTTP (i.e a security downgrade, hence the 'strict').
48 lines
1.8 KiB
Go
48 lines
1.8 KiB
Go
// GoToSocial
|
|
// Copyright (C) GoToSocial Authors admin@gotosocial.org
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package middleware
|
|
|
|
import (
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// ExtraHeaders returns a new gin middleware which adds various extra headers to the response.
|
|
func ExtraHeaders() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
// Inform all callers which server implementation this is.
|
|
c.Header("Server", "gotosocial")
|
|
|
|
// Equivalent to CSP frame-ancestors for older browsers
|
|
c.Header("X-Frame-Options", "DENY")
|
|
|
|
// Don't do MIME type sniffing
|
|
c.Header("X-Content-Type-Options", "nosniff")
|
|
|
|
// Only send Referer header for URLs matching our protocol, hostname and port
|
|
c.Header("Referrer-Policy", "same-origin")
|
|
|
|
// Prevent google chrome cohort tracking. Originally this was referred
|
|
// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
|
|
// that interest-cohort will also block Topics (as of 2022-Nov).
|
|
//
|
|
// See: https://smartframe.io/blog/google-topics-api-everything-you-need-to-know
|
|
//
|
|
// See: https://github.com/patcg-individual-drafts/topics
|
|
c.Header("Permissions-Policy", "browsing-topics=()")
|
|
}
|
|
}
|