Add Content-Security-Policy header to Convos #508 #567

convos-chat · Feb 13, 2021 · 1091cfe · 1091cfe
1 parent 4d66407
commit 1091cfe
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/lib/Convos.pm b/lib/Convos.pm
@@ -132,6 +132,7 @@ sub _before_dispatch {
   $settings->save_p({base_url => $base_url}) if !CONVOS_GET and $settings->base_url ne $base_url;
   $c->app->sessions->secure($ENV{CONVOS_SECURE_COOKIES} || $base_url->scheme eq 'https' ? 1 : 0);
   $c->res->headers->header('X-Provider-Name', 'ConvosApp');
+  $c->res->headers->content_security_policy($c->app->_content_security_policy);
 
   # Used when registering the first user
   $c->stash(first_user => 1) if !$c->session('email') and !$c->app->core->n_users;
@@ -160,6 +161,23 @@ sub _config {
   return $config;
 }
 
+sub _content_security_policy {
+  return join(' ',
+    map {"$_;"} q(block-all-mixed-content),
+    q(base-uri 'self'),
+    q(connect-src 'self'),
+    q(frame-ancestors 'none'),
+    q(manifest-src 'self'),
+    q(default-src 'none'),
+    q(font-src 'self'),
+    q(frame-src 'self'),
+    q(img-src *),
+    q(object-src 'none'),
+    q(script-src 'self' 'unsafe-inline' 'unsafe-eval'),
+    q(style-src 'self' 'unsafe-inline'),
+  );
+}
+
 sub _home_in_share {
   my $self = shift;
   my $rel  = path(qw(auto share dist Convos))->to_string;

diff --git a/t/web-production.t b/t/web-production.t
@@ -0,0 +1,11 @@
+#!perl
+use lib '.';
+use t::Helper;
+
+$ENV{CONVOS_BACKEND} = 'Convos::Core::Backend';
+$ENV{MOJO_MODE}      = 'production';
+
+my $t = t::Helper->t;
+$t->get_ok('/')->status_is(200)->header_is('Content-Security-Policy', q(block-all-mixed-content; base-uri 'self'; connect-src 'self'; frame-ancestors 'none'; manifest-src 'self'; default-src 'none'; font-src 'self'; frame-src 'self'; img-src *; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';));
+
+done_testing;