mirror of
https://github.com/superseriousbusiness/gotosocial.git
synced 2025-01-12 17:28:48 +01:00
3aedd937c3
This adds the CSP header with a policy of only loading from the same domain. We don't make use of external media, CSS, JS, fonts, so we don't ever need external data loaded in our context. When building a DEBUG build, the policy gets extended to include localhost:*, i.e localhost on any port. This keeps the live-reloading flow for JS development working. localhost and 127.0.0.1 are considered to be the same so mixing and matching those doesn't result in a CSP violation.
46 lines
1.7 KiB
Go
46 lines
1.7 KiB
Go
// GoToSocial
|
|
// Copyright (C) GoToSocial Authors admin@gotosocial.org
|
|
// SPDX-License-Identifier: AGPL-3.0-or-later
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
package middleware
|
|
|
|
import (
|
|
"codeberg.org/gruf/go-debug"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// ExtraHeaders returns a new gin middleware which adds various extra headers to the response.
|
|
func ExtraHeaders() gin.HandlerFunc {
|
|
policy := "default-src 'self'"
|
|
if debug.DEBUG {
|
|
policy += " localhost:*"
|
|
}
|
|
return func(c *gin.Context) {
|
|
// Inform all callers which server implementation this is.
|
|
c.Header("Server", "gotosocial")
|
|
// Prevent google chrome cohort tracking. Originally this was referred
|
|
// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
|
|
// that interest-cohort will also block Topics (as of 2022-Nov).
|
|
//
|
|
// See: https://smartframe.io/blog/google-topics-api-everything-you-need-to-know
|
|
//
|
|
// See: https://github.com/patcg-individual-drafts/topics
|
|
c.Header("Permissions-Policy", "browsing-topics=()")
|
|
// Inform the browser we only load CSS/JS/media from the same domain
|
|
c.Header("Content-Security-Policy", policy)
|
|
}
|
|
}
|