aljaz/ditto
1
0
Fork 0
mirror of https://github.com/aljazceru/ditto.git synced 2026-02-08 06:54:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Include Soapbox sentryDsn in CSP

Browse Source
This commit is contained in:
Alex Gleason
2024-11-14 20:12:27 -06:00
parent 55f50ba93d
commit 02ada73f48
3 changed files with 49 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/middleware/cspMiddleware.ts
View File

@@ -1,15 +1,30 @@
import { AppMiddleware } from '@/app.ts';
import { Conf } from '@/config.ts';
import { PleromaConfigDB } from '@/utils/PleromaConfigDB.ts';
import { Storages } from '@/storages.ts';
import { getPleromaConfigs } from '@/utils/pleroma.ts';
let configDBCache: Promise<PleromaConfigDB> | undefined;
export const cspMiddleware = (): AppMiddleware => {
return async (c, next) => {
const store = await Storages.db();
if (!configDBCache) {
configDBCache = getPleromaConfigs(store);
}
const { host, protocol, origin } = Conf.url;
const wsProtocol = protocol === 'http:' ? 'ws:' : 'wss:';
const configDB = await configDBCache;
const sentryDsn = configDB.getIn(':pleroma', ':frontend_configurations', ':soapbox_fe', 'sentryDsn');
const policies = [
'upgrade-insecure-requests',
`script-src 'self'`,
`connect-src 'self' blob: ${origin} ${wsProtocol}//${host}`,
`connect-src 'self' blob: ${origin} ${wsProtocol}//${host}` + typeof sentryDsn === 'string'
? ` ${sentryDsn}`
: '',
`media-src 'self' https:`,
`img-src 'self' data: blob: https:`,
`default-src 'none'`,