adding proper CSP header plug and setting ignore config for mix sobelow

2021-04-06 18:40:08 -04:00 · 2021-04-06 18:40:08 -04:00 · c7ef111ebe
parent 10fbc6732b
commit c7ef111ebe
3 changed files with 35 additions and 0 deletions
--- a/.sobelow-conf
+++ b/.sobelow-conf
@ -0,0 +1,12 @@
+[
+  verbose: true,
+  private: false,
+  skip: false,
+  router: "",
+  exit: "low",
+  format: "txt",
+  out: "",
+  threshold: "low",
+  ignore: ["Config.CSP", "Config.HTTPS"],
+  ignore_files: [""]
+]
--- a/lib/home73k_web/csp_header.ex
+++ b/lib/home73k_web/csp_header.ex
@ -0,0 +1,21 @@
+defmodule Home73kWeb.CSPHeader do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    put_resp_header conn, "content-security-policy", csp(conn)
+  end
+
+  defp csp(conn) do
+    "default-src 'self'; \
+    connect-src 'self' #{ws_url conn} #{ws_url conn, "wss"}; \
+    script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
+    style-src 'self' 'unsafe-inline' 'unsafe-eval'"
+  end
+
+  defp ws_url(conn, protocol \\ "ws") do
+    endpoint = Phoenix.Controller.endpoint_module(conn)
+    %{endpoint.struct_url | scheme: protocol} |> URI.to_string()
+  end
+end
--- a/lib/home73k_web/router.ex
+++ b/lib/home73k_web/router.ex
@ -1,5 +1,6 @@
 defmodule Home73kWeb.Router do
  use Home73kWeb, :router
+  alias Home73kWeb.CSPHeader

  pipeline :browser do
    plug :accepts, ["html"]
@ -8,6 +9,7 @@ defmodule Home73kWeb.Router do
    plug :put_root_layout, {Home73kWeb.LayoutView, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
+    plug CSPHeader
  end

  pipeline :xml_rss do