Allow to define custom HTTP headers per each frontend

CHANGELOG.md

@@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
 - Ability to set ActivityPub aliases for follower migration.
 - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
-- Ability to set the `Service-Worker-Allowed` header
+- Ability to define custom HTTP headers per each frontend
 
 <details>
   <summary>API Changes</summary>

config/config.exs

@@ -723,7 +723,10 @@ config :pleroma, :frontends,
       "git" => "https://git.pleroma.social/pleroma/fedi-fe",
       "build_url" =>
         "https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build",
-      "ref" => "master"
+      "ref" => "master",
+      "custom-http-headers" => [
+        {"service-worker-allowed", "/"}
+      ]
     },
     "admin-fe" => %{
       "name" => "admin-fe",

config/description.exs

@@ -60,6 +60,12 @@ frontend_options = [
     label: "Build directory",
     type: :string,
     description: "The directory inside the zip file "
+  },
+  %{
+    key: "custom-http-headers",
+    label: "Custom HTTP headers",
+    type: {:list, :string},
+    description: "The custom HTTP headers for the frontend"
   }
 ]
 
@@ -1749,14 +1755,6 @@ config :pleroma, :config_description, [
         type: :string,
         description: "Adds the specified URL to report-uri and report-to group in CSP header",
         suggestions: ["https://example.com/report-uri"]
-      },
-      %{
-        key: :service_worker_allowed,
-        label: "The Service-Worker-Allowed header",
-        type: :string,
-        description:
-          "Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
-        suggestions: ["/"]
       }
     ]
   },

lib/pleroma/web/plugs/http_security_plug.ex

@@ -20,10 +20,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
     end
   end
 
-  defp headers do
+  def primary_frontend do
+    with %{"name" => frontend} <- Config.get([:frontends, :primary]),
+         available <- Config.get([:frontends, :available]),
+         %{} = primary_frontend <- Map.get(available, frontend) do
+      {:ok, primary_frontend}
+    end
+  end
+
+  def custom_http_frontend_headers do
+    with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do
+      custom_headers
+    else
+      _ -> []
+    end
+  end
+
+  def headers do
     referrer_policy = Config.get([:http_security, :referrer_policy])
     report_uri = Config.get([:http_security, :report_uri])
-    service_worker_allowed = Config.get([:http_security, :service_worker_allowed])
+    custom_http_frontend_headers = custom_http_frontend_headers()
 
     headers = [
       {"x-xss-protection", "1; mode=block"},
@@ -36,8 +52,8 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
     ]
 
     headers =
-      if service_worker_allowed do
+      if custom_http_frontend_headers do
-        [{"service-worker-allowed", service_worker_allowed} | headers]
+        custom_http_frontend_headers ++ headers
       else
         headers
       end

test/pleroma/web/plugs/http_security_plug_test.exs

@@ -75,7 +75,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
 
     test "it sets the Service-Worker-Allowed header", %{conn: conn} do
       clear_config([:http_security, :enabled], true)
-      clear_config([:http_security, :service_worker_allowed], "/")
+      clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
+
+      clear_config([:frontends, :available], %{
+        "fedi-fe" => %{
+          "name" => "fedi-fe",
+          "custom-http-headers" => [{"service-worker-allowed", "/"}]
+        }
+      })
 
       conn = get(conn, "/api/v1/instance")
       assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]