SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity

[feature] Add ListenBrainz functionality on the web view (#4184)

Browse Source 
This pull request adds a very simple ad-hoc ListenBrainz widget to the frontend web view, with progressive enhancement (in all fail states it just falls back to rendering the field as normal).

This necessitated adding the ListenBrainz API endpoint to the `connect-src` part of our Content-Security-Policy header. We might want to tweak this to only add that endpoint to `connect-src` for profiles, and then only for profiles that include a ListenBrainz field, but this would require significant dicking about with the middleware, and checks inside the app logic, such that it might not be worthwhile (after all, we control all the scripts right now anyway).

Reviewed-on: https://codeberg.org/superseriousbusiness/gotosocial/pulls/4184
Co-authored-by: tobi <tobi.smethurst@protonmail.com>
Co-committed-by: tobi <tobi.smethurst@protonmail.com>
This commit is contained in:
tobi
2025-05-22 12:34:39 +02:00
committed by kim
parent d5c9c4adc1
commit 00e58c60cd
6 changed files with 200 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/middleware/contentsecuritypolicy.go
View File

@ -37,6 +37,7 @@ func ContentSecurityPolicy(extraURIs ...string) gin.HandlerFunc {
func BuildContentSecurityPolicy(extraURIs ...string) string {
const (
defaultSrc = "default-src"
connectSrc = "connect-src"
objectSrc = "object-src"
imgSrc = "img-src"
mediaSrc = "media-src"
@ -48,7 +49,7 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
)
// CSP values keyed by directive.
values := make(map[string][]string, 4)
values := make(map[string][]string, 5)
/*
default-src
@ -69,6 +70,16 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
}
}
/*
connect-src
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src
*/
// Restrictive default policy, but
// include ListenBrainz API for fields.
const listenBrains = "https://api.listenbrainz.org/1/user/"
values[connectSrc] = append(values[defaultSrc], listenBrains) //nolint
/*
object-src
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
@ -118,9 +129,10 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
// Iterate through an ordered slice rather than
// iterating through the map, since we want these
// policyDirectives in a determinate order.
policyDirectives := make([]string, 4)
policyDirectives := make([]string, 5)
for i, directive := range []string{
defaultSrc,
connectSrc,
objectSrc,
imgSrc,
mediaSrc,