Significantly tighten HTTP CSP
This commit is contained in:
parent
57e51fe62c
commit
336d06b2a8
|
@ -29,6 +29,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
- Quote posts are now considered as part of the same thread as the post they are quoting
|
- Quote posts are now considered as part of the same thread as the post they are quoting
|
||||||
- Simplified HTTP signature processing
|
- Simplified HTTP signature processing
|
||||||
- Rich media will now hard-exit after 5 seconds, to prevent timeline hangs
|
- Rich media will now hard-exit after 5 seconds, to prevent timeline hangs
|
||||||
|
- HTTP Content Security Policy is now far more strict to prevent any potential XSS/CSS leakages
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- /api/v1/accounts/lookup will now respect restrict\_unauthenticated
|
- /api/v1/accounts/lookup will now respect restrict\_unauthenticated
|
||||||
|
|
|
@ -106,20 +106,15 @@ defp csp_string(conn) do
|
||||||
connect_src =
|
connect_src =
|
||||||
if Config.get([:media_proxy, :enabled]) do
|
if Config.get([:media_proxy, :enabled]) do
|
||||||
sources = build_csp_multimedia_source_list()
|
sources = build_csp_multimedia_source_list()
|
||||||
["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
|
["connect-src 'self' ", static_url, ?\s, websocket_url, ?\s, sources]
|
||||||
else
|
else
|
||||||
["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
|
["connect-src 'self' ", static_url, ?\s, websocket_url]
|
||||||
end
|
end
|
||||||
|
|
||||||
style_src = "style-src 'self' 'unsafe-inline'"
|
style_src = "style-src 'self' '#{nonce_tag}'"
|
||||||
font_src = "font-src 'self' data:"
|
font_src = "font-src 'self'"
|
||||||
|
|
||||||
script_src =
|
script_src = "script-src 'self' '#{nonce_tag}'"
|
||||||
if Config.get(:env) == :dev do
|
|
||||||
"script-src 'self' 'unsafe-eval' '#{nonce_tag}'"
|
|
||||||
else
|
|
||||||
"script-src 'self' '#{nonce_tag}'"
|
|
||||||
end
|
|
||||||
|
|
||||||
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
|
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
|
||||||
insecure = if scheme == "https", do: "upgrade-insecure-requests"
|
insecure = if scheme == "https", do: "upgrade-insecure-requests"
|
||||||
|
|
|
@ -140,7 +140,7 @@ defp assert_media_img_src(conn, url) do
|
||||||
defp assert_connect_src(conn, url) do
|
defp assert_connect_src(conn, url) do
|
||||||
conn = get(conn, "/api/v1/instance")
|
conn = get(conn, "/api/v1/instance")
|
||||||
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
||||||
assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
|
assert csp =~ ~r/connect-src 'self' [^;]+ #{url}/
|
||||||
end
|
end
|
||||||
|
|
||||||
test "it does not send CSP headers when disabled", %{conn: conn} do
|
test "it does not send CSP headers when disabled", %{conn: conn} do
|
||||||
|
|
Loading…
Reference in a new issue