From c7ef111ebecbb38a73aa2a632d990c14f503ca0a Mon Sep 17 00:00:00 2001 From: Adam Piontek Date: Tue, 6 Apr 2021 18:40:08 -0400 Subject: [PATCH] adding proper CSP header plug and setting ignore config for mix sobelow --- .sobelow-conf | 12 ++++++++++++ lib/home73k_web/csp_header.ex | 21 +++++++++++++++++++++ lib/home73k_web/router.ex | 2 ++ 3 files changed, 35 insertions(+) create mode 100644 .sobelow-conf create mode 100644 lib/home73k_web/csp_header.ex diff --git a/.sobelow-conf b/.sobelow-conf new file mode 100644 index 0000000..d1b49e5 --- /dev/null +++ b/.sobelow-conf @@ -0,0 +1,12 @@ +[ + verbose: true, + private: false, + skip: false, + router: "", + exit: "low", + format: "txt", + out: "", + threshold: "low", + ignore: ["Config.CSP", "Config.HTTPS"], + ignore_files: [""] +] diff --git a/lib/home73k_web/csp_header.ex b/lib/home73k_web/csp_header.ex new file mode 100644 index 0000000..2b8d5e9 --- /dev/null +++ b/lib/home73k_web/csp_header.ex @@ -0,0 +1,21 @@ +defmodule Home73kWeb.CSPHeader do + import Plug.Conn + + def init(opts), do: opts + + def call(conn, _opts) do + put_resp_header conn, "content-security-policy", csp(conn) + end + + defp csp(conn) do + "default-src 'self'; \ + connect-src 'self' #{ws_url conn} #{ws_url conn, "wss"}; \ + script-src 'self' 'unsafe-inline' 'unsafe-eval'; \ + style-src 'self' 'unsafe-inline' 'unsafe-eval'" + end + + defp ws_url(conn, protocol \\ "ws") do + endpoint = Phoenix.Controller.endpoint_module(conn) + %{endpoint.struct_url | scheme: protocol} |> URI.to_string() + end +end diff --git a/lib/home73k_web/router.ex b/lib/home73k_web/router.ex index 7513ea4..b50998c 100644 --- a/lib/home73k_web/router.ex +++ b/lib/home73k_web/router.ex @@ -1,5 +1,6 @@ defmodule Home73kWeb.Router do use Home73kWeb, :router + alias Home73kWeb.CSPHeader pipeline :browser do plug :accepts, ["html"] @@ -8,6 +9,7 @@ defmodule Home73kWeb.Router do plug :put_root_layout, {Home73kWeb.LayoutView, :root} plug :protect_from_forgery plug :put_secure_browser_headers + plug CSPHeader end pipeline :xml_rss do