[feature] Set some security related headers (#3065)
* Set frame-ancestors in the CSP This ensures we can't be loaded/embedded in an iframe. It also sets the older X-Frame-Options for fallback. * Disable MIME type sniffing * Set Referrer-Policy This sets the policy such that browsers will never send the Referer header along with a request, unless it's a request to the same protocol, host/domain and port. Basically, only send it when navigating through our own UI, but not anything external. The default is strict-origin-when-cross-origin when unset, which sends the Referer header for requests unless it's going from HTTPS to HTTP (i.e a security downgrade, hence the 'strict').
This commit is contained in:
Daenney
GitHub
parent
fde0c6bc8c
commit
02d6e2e3bc
|
|
@ -40,6 +40,7 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
|
||||||
objectSrc = "object-src"
|
objectSrc = "object-src"
|
||||||
imgSrc = "img-src"
|
imgSrc = "img-src"
|
||||||
mediaSrc = "media-src"
|
mediaSrc = "media-src"
|
||||||
|
frames = "frame-ancestors"
|
||||||
|
|
||||||
self = "'self'"
|
self = "'self'"
|
||||||
none = "'none'"
|
none = "'none'"
|
||||||
|
|
@ -102,6 +103,14 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
|
||||||
extraURIs...,
|
extraURIs...,
|
||||||
)
|
)
|
||||||
|
|
||||||
|
/*
|
||||||
|
frame-ancestors
|
||||||
|
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
|
||||||
|
*/
|
||||||
|
|
||||||
|
// Don't allow embedding us in an iframe
|
||||||
|
values[frames] = []string{none}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
Assemble policy directives.
|
Assemble policy directives.
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,15 @@ func ExtraHeaders() gin.HandlerFunc {
|
||||||
// Inform all callers which server implementation this is.
|
// Inform all callers which server implementation this is.
|
||||||
c.Header("Server", "gotosocial")
|
c.Header("Server", "gotosocial")
|
||||||
|
|
||||||
|
// Equivalent to CSP frame-ancestors for older browsers
|
||||||
|
c.Header("X-Frame-Options", "DENY")
|
||||||
|
|
||||||
|
// Don't do MIME type sniffing
|
||||||
|
c.Header("X-Content-Type-Options", "nosniff")
|
||||||
|
|
||||||
|
// Only send Referer header for URLs matching our protocol, hostname and port
|
||||||
|
c.Header("Referrer-Policy", "same-origin")
|
||||||
|
|
||||||
// Prevent google chrome cohort tracking. Originally this was referred
|
// Prevent google chrome cohort tracking. Originally this was referred
|
||||||
// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
|
// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
|
||||||
// that interest-cohort will also block Topics (as of 2022-Nov).
|
// that interest-cohort will also block Topics (as of 2022-Nov).
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue