Refactor CSP config by using Pleroma's HTTPSecurityPlug

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-01-25 15:55:52 +01:00
parent c5fd2e185b
commit e0e46a81e3
4 changed files with 143 additions and 9 deletions
--- a/lib/web/router.ex
+++ b/lib/web/router.ex
@@ -4,12 +4,6 @@ defmodule Mobilizon.Web.Router do
  """
  use Mobilizon.Web, :router

-  @csp if Application.fetch_env!(:mobilizon, :env) != :dev,
-         do: "default-src 'self';",
-         else:
-           "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
-  @headers %{"content-security-policy" => @csp}
-
  pipeline :graphql do
    #    plug(:accepts, ["json"])
    plug(Mobilizon.Web.Auth.Pipeline)
@@ -36,7 +30,7 @@ defmodule Mobilizon.Web.Router do

  pipeline :activity_pub_and_html do
    plug(:accepts, ["html", "activity-json"])
-    plug(:put_secure_browser_headers, @headers)
+    plug(:put_secure_browser_headers)

    plug(Cldr.Plug.AcceptLanguage,
      cldr_backend: Mobilizon.Cldr
@@ -44,7 +38,7 @@ defmodule Mobilizon.Web.Router do
  end

  pipeline :atom_and_ical do
-    plug(:put_secure_browser_headers, @headers)
+    plug(:put_secure_browser_headers)
    plug(:accepts, ["atom", "ics", "html"])
  end

@@ -56,7 +50,7 @@ defmodule Mobilizon.Web.Router do
    )

    plug(:accepts, ["html"])
-    plug(:put_secure_browser_headers, @headers)
+    plug(:put_secure_browser_headers)
  end

  pipeline :remote_media do