mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2024-11-22 11:46:40 +00:00
[feature] Set Content-Security-Policy header (#2095)
This adds the CSP header with a policy of only loading from the same domain. We don't make use of external media, CSS, JS, fonts, so we don't ever need external data loaded in our context. When building a DEBUG build, the policy gets extended to include localhost:*, i.e localhost on any port. This keeps the live-reloading flow for JS development working. localhost and 127.0.0.1 are considered to be the same so mixing and matching those doesn't result in a CSP violation.
This commit is contained in:
parent
a26af1310f
commit
3aedd937c3
|
@ -245,4 +245,4 @@ If you cannot connect to the site in your browser, the reverse proxy setup doesn
|
|||
|
||||
If you can connect but your posts don't federate and your account cannot be found from elsewhere, check your logs. Federation is broken if you see messages attempting to read your profile (something like `level=INFO … method=GET statusCode=401 path=/users/your_username msg="Unauthorized: …"`) or post to your inbox (something like `level=INFO … method=POST statusCode=404 path=/your_username/inbox msg="Not Found: …"`). Double check the `ProxyPreserveHost` setting.
|
||||
|
||||
If you can connect but you cannot authorize your account in a Mastodon client app, check your headers. Use `curl -I https://example.com` and look for the `Content-Security-Policy` header. If your webserver sets it, you might have to unset it. One way to do that is to use `Header unset Content-Security-Policy` in the Apache site config file (something like `example.com.conf`).
|
||||
If you can connect but you cannot authorize your account in a Mastodon client app, make sure you initiate login from the right domain. When using a [split domain](../../advanced/host-account-domain.md) setup, you have to initiate the login from the `host` domain, not the `account-domain`. GoToSocial sets a `Content-Security-Policy` header to counter XSS and data injection attacks. This header should be left untouched, so make sure your reverse proxy doesn't modify, override or unset it.
|
||||
|
|
|
@ -17,10 +17,17 @@
|
|||
|
||||
package middleware
|
||||
|
||||
import "github.com/gin-gonic/gin"
|
||||
import (
|
||||
"codeberg.org/gruf/go-debug"
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
// ExtraHeaders returns a new gin middleware which adds various extra headers to the response.
|
||||
func ExtraHeaders() gin.HandlerFunc {
|
||||
policy := "default-src 'self'"
|
||||
if debug.DEBUG {
|
||||
policy += " localhost:*"
|
||||
}
|
||||
return func(c *gin.Context) {
|
||||
// Inform all callers which server implementation this is.
|
||||
c.Header("Server", "gotosocial")
|
||||
|
@ -32,5 +39,7 @@ func ExtraHeaders() gin.HandlerFunc {
|
|||
//
|
||||
// See: https://github.com/patcg-individual-drafts/topics
|
||||
c.Header("Permissions-Policy", "browsing-topics=()")
|
||||
// Inform the browser we only load CSS/JS/media from the same domain
|
||||
c.Header("Content-Security-Policy", policy)
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue