SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity

[feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs (#2134)

Browse Source 
* [feature/bugfix] Probe S3 storage for CSP uri, add config flag for extra URIs

* env parsing tests, my coy mistress
This commit is contained in:
tobi
2023-08-20 13:35:55 +02:00
committed by GitHub
parent 92de8fb396
commit 1e2db7a32f
13 changed files with 343 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
internal/middleware/extraheaders.go
View File

@ -18,15 +18,11 @@
package middleware
import (
"codeberg.org/gruf/go-debug"
"github.com/gin-gonic/gin"
"github.com/superseriousbusiness/gotosocial/internal/config"
)
// ExtraHeaders returns a new gin middleware which adds various extra headers to the response.
func ExtraHeaders() gin.HandlerFunc {
csp := BuildContentSecurityPolicy()
return func(c *gin.Context) {
// Inform all callers which server implementation this is.
c.Header("Server", "gotosocial")
@ -39,56 +35,5 @@ func ExtraHeaders() gin.HandlerFunc {
//
// See: https://github.com/patcg-individual-drafts/topics
c.Header("Permissions-Policy", "browsing-topics=()")
// Inform the browser we only load
// CSS/JS/media using the given policy.
c.Header("Content-Security-Policy", csp)
}
}
func BuildContentSecurityPolicy() string {
// Start with restrictive policy.
policy := "default-src 'self'"
if debug.DEBUG {
// Debug is enabled, allow
// serving things from localhost
// as well (regardless of port).
policy += " localhost:* ws://localhost:*"
}
// Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
policy += "; object-src 'none'"
s3Endpoint := config.GetStorageS3Endpoint()
if s3Endpoint == "" || config.GetStorageS3Proxy() {
// S3 not configured or in proxy mode, just allow images from self and blob:
policy += "; img-src 'self' blob:"
return policy
}
// S3 is on and in non-proxy mode, so we need to add the S3 host to
// the policy to allow images and video to be pulled from there too.
// If secure is false,
// use 'http' scheme.
scheme := "https"
if !config.GetStorageS3UseSSL() {
scheme = "http"
}
// Construct endpoint URL.
s3EndpointURLStr := scheme + "://" + s3Endpoint
// When object storage is in use in non-proxied mode, GtS still serves some
// assets itself like the logo, so keep 'self' in there. That should also
// handle any redirects from the fileserver to object storage.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
policy += "; img-src 'self' blob: " + s3EndpointURLStr
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
policy += "; media-src 'self' " + s3EndpointURLStr
return policy
}