From f516e317ea639bf0d2cdf3d1f1e2e00b5b7c90ef Mon Sep 17 00:00:00 2001
From: William Pitcock <nenolod@dereferenced.org>
Date: Sun, 11 Nov 2018 06:10:21 +0000
Subject: [PATCH] plugs: add CSPPlug

---
 lib/pleroma/plugs/csp_plug.ex | 38 +++++++++++++++++++++++++++++++++++
 lib/pleroma/web/endpoint.ex   |  1 +
 2 files changed, 39 insertions(+)
 create mode 100644 lib/pleroma/plugs/csp_plug.ex

diff --git a/lib/pleroma/plugs/csp_plug.ex b/lib/pleroma/plugs/csp_plug.ex
new file mode 100644
index 000000000..15d466c36
--- /dev/null
+++ b/lib/pleroma/plugs/csp_plug.ex
@@ -0,0 +1,38 @@
+defmodule Pleroma.Plugs.CSPPlug do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, options) do
+    conn = merge_resp_headers(conn, headers())
+  end
+
+  defp headers do
+    [
+      {"x-xss-protection", "1; mode=block"},
+      {"x-permitted-cross-domain-policies", "none"},
+      {"x-frame-options", "DENY"},
+      {"x-content-type-options", "nosniff"},
+      {"referrer-policy", "same-origin"},
+      {"x-download-options", "noopen"},
+      {"content-security-policy", csp_string() <> ";"}
+    ]
+  end
+
+  defp csp_string do
+    [
+      "default-src 'none'",
+      "base-uri 'self'",
+      "form-action *",
+      "frame-ancestors 'none'",
+      "img-src 'self' data: https:",
+      "media-src 'self' https:",
+      "style-src 'self' 'unsafe-inline'",
+      "font-src 'self'",
+      "script-src 'self'",
+      "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
+      "upgrade-insecure-requests"
+    ]
+    |> Enum.join("; ")
+  end
+end
diff --git a/lib/pleroma/web/endpoint.ex b/lib/pleroma/web/endpoint.ex
index cb5de087b..370d2d792 100644
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@@ -12,6 +12,7 @@ defmodule Pleroma.Web.Endpoint do
   # You should set gzip to true if you are running phoenix.digest
   # when deploying your static files in production.
   plug(CORSPlug)
+  plug(Pleroma.Plugs.CSPPlug)
 
   plug(Plug.Static, at: "/media", from: Pleroma.Uploaders.Local.upload_path(), gzip: false)