adding proper CSP header plug and setting ignore config for mix sobelow

2021-04-06 18:40:08 -04:00 · 2021-04-06 18:40:08 -04:00 · c7ef111ebe
commit c7ef111ebe
parent 10fbc6732b
3 changed files with 35 additions and 0 deletions
--- a/.sobelow-conf
+++ b/.sobelow-conf
@ -0,0 +1,12 @@
 [
  verbose: true,
  private: false,
  skip: false,
  router: "",
  exit: "low",
  format: "txt",
  out: "",
  threshold: "low",
  ignore: ["Config.CSP", "Config.HTTPS"],
  ignore_files: [""]
 ]
--- a/lib/home73k_web/csp_header.ex
+++ b/lib/home73k_web/csp_header.ex
@ -0,0 +1,21 @@
 defmodule Home73kWeb.CSPHeader do
  import Plug.Conn
  def init(opts), do: opts
  def call(conn, _opts) do
    put_resp_header conn, "content-security-policy", csp(conn)
  end
  defp csp(conn) do
    "default-src 'self'; \
    connect-src 'self' #{ws_url conn} #{ws_url conn, "wss"}; \
    script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
    style-src 'self' 'unsafe-inline' 'unsafe-eval'"
  end
  defp ws_url(conn, protocol \\ "ws") do
    endpoint = Phoenix.Controller.endpoint_module(conn)
    %{endpoint.struct_url | scheme: protocol} |> URI.to_string()
  end
 end
--- a/lib/home73k_web/router.ex
+++ b/lib/home73k_web/router.ex
@ -1,5 +1,6 @@
 defmodule Home73kWeb.Router do
  use Home73kWeb, :router
  alias Home73kWeb.CSPHeader
  pipeline :browser do
    plug :accepts, ["html"]
@ -8,6 +9,7 @@ defmodule Home73kWeb.Router do
    plug :put_root_layout, {Home73kWeb.LayoutView, :root}
    plug :protect_from_forgery
    plug :put_secure_browser_headers
    plug CSPHeader
  end
  pipeline :xml_rss do