implement proper support for forbidding remote media-tag inclusion

...and test that the basic headers are correctly set on the checkup page
pull/1/head
ansuz 3 years ago
parent fa8e901f54
commit 0917b45035

@ -50,7 +50,7 @@ Default.httpHeaders = function (Env) {
return { return {
"X-XSS-Protection": "1; mode=block", "X-XSS-Protection": "1; mode=block",
"X-Content-Type-Options": "nosniff", "X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Origin": Env.disableEmbedding? '': "*", "Access-Control-Allow-Origin": Env.disableEmbedding? Env.permittedEmbedders: "*",
"Permissions-policy":"interest-cohort=()" "Permissions-policy":"interest-cohort=()"
}; };
}; };

@ -28,6 +28,8 @@ module.exports.create = function (config) {
httpUnsafeOrigin: canonicalizeOrigin(config.httpUnsafeOrigin), httpUnsafeOrigin: canonicalizeOrigin(config.httpUnsafeOrigin),
httpSafeOrigin: canonicalizeOrigin(config.httpSafeOrigin), httpSafeOrigin: canonicalizeOrigin(config.httpSafeOrigin),
permittedEmbedders: typeof(config.permittedEmbedders) === 'string'? config.permittedEmbedders: canonicalizeOrigin(config.httpSafeOrigin),
removeDonateButton: config.removeDonateButton, removeDonateButton: config.removeDonateButton,
httpPort: isValidPort(config.httpPort)? config.httpPort: 3000, httpPort: isValidPort(config.httpPort)? config.httpPort: 3000,
httpAddress: typeof(config.httpAddress) === 'string'? config.httpAddress: '127.0.0.1', httpAddress: typeof(config.httpAddress) === 'string'? config.httpAddress: '127.0.0.1',
@ -68,7 +70,6 @@ module.exports.create = function (config) {
archiveRetentionTime: config.archiveRetentionTime, archiveRetentionTime: config.archiveRetentionTime,
accountRetentionTime: config.accountRetentionTime, accountRetentionTime: config.accountRetentionTime,
// TODO implement mutability
adminEmail: config.adminEmail, adminEmail: config.adminEmail,
supportMailbox: config.supportMailboxPublicKey, supportMailbox: config.supportMailboxPublicKey,

@ -126,7 +126,7 @@ app.use('/blob', function (req, res, next) {
if (req.method === 'HEAD') { if (req.method === 'HEAD') {
Express.static(Path.join(__dirname, Env.paths.blob), { Express.static(Path.join(__dirname, Env.paths.blob), {
setHeaders: function (res, path, stat) { setHeaders: function (res, path, stat) {
res.set('Access-Control-Allow-Origin', '*'); res.set('Access-Control-Allow-Origin', Env.disableEmbedding? Env.permittedEmbedders: '*');
res.set('Access-Control-Allow-Headers', 'Content-Length'); res.set('Access-Control-Allow-Headers', 'Content-Length');
res.set('Access-Control-Expose-Headers', 'Content-Length'); res.set('Access-Control-Expose-Headers', 'Content-Length');
} }
@ -138,7 +138,7 @@ app.use('/blob', function (req, res, next) {
app.use(function (req, res, next) { app.use(function (req, res, next) {
if (req.method === 'OPTIONS' && /\/blob\//.test(req.url)) { if (req.method === 'OPTIONS' && /\/blob\//.test(req.url)) {
res.setHeader('Access-Control-Allow-Origin', '*'); res.setHeader('Access-Control-Allow-Origin', Env.disableEmbedding? Env.permittedEmbedders: '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS'); res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'); res.setHeader('Access-Control-Allow-Headers', 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range');
res.setHeader('Access-Control-Max-Age', 1728000); res.setHeader('Access-Control-Max-Age', 1728000);

@ -1026,23 +1026,31 @@ define([
assert(function (cb, msg) { assert(function (cb, msg) {
var header = 'Access-Control-Allow-Origin'; var header = 'Access-Control-Allow-Origin';
msg.appendChild(h('span', [ // XXX update text to indicate that the value doesn't match their preference
'Assets must be served with an ',
code(header),
' header with a value of ',
code("'*'"),
' if you wish to support embedding of encrypted media on third party websites.',
]));
Tools.common_xhr('/', function (xhr) { Tools.common_xhr('/', function (xhr) {
var raw = xhr.getResponseHeader(header); var raw = xhr.getResponseHeader(header);
if (ApiConfig.disableEmbedding) { if (ApiConfig.disableEmbedding) {
if ([null, ''].includes(raw)) { return void cb(true); } if (raw === trimmedSafe) { return void cb(true); }
else { else {
return void cb(raw === '*' || raw); msg.appendChild(h('span', [
'This instance has been configured to disable support for embedding assets in third-party websites. ',
'In order for this setting to be effective while still permitting encrypted media to load locally ',
'the ',
code(header),
' should only match trusted domains.',
]));
return void cb(raw);
} }
} }
msg.appendChild(h('span', [
'Assets must be served with an ',
code(header),
' header with a value of ',
code("'*'"),
' if you wish to support embedding of encrypted media on third party websites.',
]));
cb(raw === "*" || raw); cb(raw === "*" || raw);
}); });
}); });

Loading…
Cancel
Save