Merge branch 'service-worker-allowed-header' into 'develop'

Ability to set custom HTTP headers per each frontend

See merge request pleroma/pleroma!3247

CHANGELOG.md

@@ -38,7 +38,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - OAuth improvements and fixes: more secure session-based authentication (by token that could be revoked anytime), ability to revoke belonging OAuth token from any client etc.
 - Ability to set ActivityPub aliases for follower migration.
 - Configurable background job limits for RichMedia (link previews) and MediaProxyWarmingPolicy
-
+- Ability to define custom HTTP headers per each frontend
 
 <details>
   <summary>API Changes</summary>

config/config.exs

@@ -725,7 +725,10 @@
       "git" => "https://git.pleroma.social/pleroma/fedi-fe",
       "build_url" =>
         "https://git.pleroma.social/pleroma/fedi-fe/-/jobs/artifacts/${ref}/download?job=build",
-      "ref" => "master"
+      "ref" => "master",
+      "custom-http-headers" => [
+        {"service-worker-allowed", "/"}
+      ]
     },
     "admin-fe" => %{
       "name" => "admin-fe",

config/description.exs

@@ -60,6 +60,12 @@
     label: "Build directory",
     type: :string,
     description: "The directory inside the zip file "
+  },
+  %{
+    key: "custom-http-headers",
+    label: "Custom HTTP headers",
+    type: {:list, :string},
+    description: "The custom HTTP headers for the frontend"
   }
 ]
 

lib/pleroma/web/plugs/http_security_plug.ex

@@ -20,9 +20,26 @@ def call(conn, _options) do
     end
   end
 
-  defp headers do
+  def primary_frontend do
+    with %{"name" => frontend} <- Config.get([:frontends, :primary]),
+         available <- Config.get([:frontends, :available]),
+         %{} = primary_frontend <- Map.get(available, frontend) do
+      {:ok, primary_frontend}
+    end
+  end
+
+  def custom_http_frontend_headers do
+    with {:ok, %{"custom-http-headers" => custom_headers}} <- primary_frontend() do
+      custom_headers
+    else
+      _ -> []
+    end
+  end
+
+  def headers do
     referrer_policy = Config.get([:http_security, :referrer_policy])
     report_uri = Config.get([:http_security, :report_uri])
+    custom_http_frontend_headers = custom_http_frontend_headers()
 
     headers = [
       {"x-xss-protection", "1; mode=block"},
@@ -34,6 +51,13 @@ defp headers do
       {"content-security-policy", csp_string()}
     ]
 
+    headers =
+      if custom_http_frontend_headers do
+        custom_http_frontend_headers ++ headers
+      else
+        headers
+      end
+
     if report_uri do
       report_group = %{
         "group" => "csp-endpoint",

test/pleroma/web/plugs/http_security_plug_test.exs

@@ -72,6 +72,21 @@ test "default values for img-src and media-src with disabled media proxy", %{con
       assert csp =~ "media-src 'self' https:;"
       assert csp =~ "img-src 'self' data: blob: https:;"
     end
+
+    test "it sets the Service-Worker-Allowed header", %{conn: conn} do
+      clear_config([:http_security, :enabled], true)
+      clear_config([:frontends, :primary], %{"name" => "fedi-fe", "ref" => "develop"})
+
+      clear_config([:frontends, :available], %{
+        "fedi-fe" => %{
+          "name" => "fedi-fe",
+          "custom-http-headers" => [{"service-worker-allowed", "/"}]
+        }
+      })
+
+      conn = get(conn, "/api/v1/instance")
+      assert Conn.get_resp_header(conn, "service-worker-allowed") == ["/"]
+    end
   end
 
   describe "img-src and media-src" do