Ability to set the Service-Worker-Allowed header

2021-01-08 12:06:04 +03:00 · 2021-01-08 12:06:04 +03:00 · 133644dfa2
commit 133644dfa2
parent d8860eaee4
4 changed files with 25 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -35,7 +35,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
 - Ability to set ActivityPub aliases for follower migration.
 - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
-
+- Ability to set the `Service-Worker-Allowed` header

 <details>
  <summary>API Changes</summary>
--- a/config/description.exs
+++ b/config/description.exs
@ -1749,6 +1749,14 @@
        type: :string,
        description: "Adds the specified URL to report-uri and report-to group in CSP header",
        suggestions: ["https://example.com/report-uri"]
+      },
+      %{
+        key: :service_worker_allowed,
+        label: "The Service-Worker-Allowed header",
+        type: :string,
+        description:
+          "Sets the Service-Worker-Allowed header which limits the maximum allowed Service Worker scope",
+        suggestions: ["/"]
      }
    ]
  },
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@ -23,6 +23,7 @@ def call(conn, _options) do
  defp headers do
    referrer_policy = Config.get([:http_security, :referrer_policy])
    report_uri = Config.get([:http_security, :report_uri])
+    service_worker_allowed = Config.get([:http_security, :service_worker_allowed])

    headers = [
      {"x-xss-protection", "1; mode=block"},
@ -34,6 +35,13 @@ defp headers do
      {"content-security-policy", csp_string()}
    ]

+    headers =
+      if service_worker_allowed do
+        [{"service-worker-allowed", service_worker_allowed} | headers]
+      else
+        headers
+      end
+
    if report_uri do
      report_group = %{
        "group" => "csp-endpoint",
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@ -72,6 +72,14 @@ test "default values for img-src and media-src with disabled media proxy", %{con
      assert csp =~ "media-src 'self' https:;"
      assert csp =~ "img-src 'self' data: blob: https:;"
    end
+
+    test "it sets the Service-Worker-Allowed header", %{conn: conn} do
+      clear_config([:http_security, :enabled], true)
+      clear_config([:http_security, :service_worker_allowed], "/")
+
+      conn = get(conn, "/api/v1/instance")
+      assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
+    end
  end

  describe "img-src and media-src" do