From a51b36fb75044949c9c028ba9f788d617f6c5dae Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Fri, 4 Nov 2022 16:10:24 +0100 Subject: [PATCH 1/3] Fix building CSP policy You can't use 'none' as a CSP Policy if there's other things among Signed-off-by: Thomas Citharel --- config/config.exs | 2 +- lib/web/plugs/http_security_plug.ex | 32 +++++++++++++++------- test/web/plugs/http_security_plug_test.exs | 2 +- 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/config/config.exs b/config/config.exs index fef8c6ddd..dd5e28b6a 100644 --- a/config/config.exs +++ b/config/config.exs @@ -368,7 +368,7 @@ config :mobilizon, Mobilizon.Service.GlobalSearch, config :mobilizon, Mobilizon.Service.GlobalSearch.SearchMobilizon, endpoint: "https://search.joinmobilizon.org", csp_policy: [ - img_src: "search.joinmobilizon.org" + img_src: ["search.joinmobilizon.org"] ] # Import environment specific config. This must remain at the bottom diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex index 912c98657..862803b49 100644 --- a/lib/web/plugs/http_security_plug.ex +++ b/lib/web/plugs/http_security_plug.ex @@ -119,13 +119,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do font_src = [@font_src] ++ [get_csp_config(:font_src, options)] - frame_src = if Config.get(:env) == :dev, do: "frame-src 'self' ", else: "frame-src 'none' " - frame_src = [frame_src] ++ [get_csp_config(:frame_src, options)] - - frame_ancestors = - if Config.get(:env) == :dev, do: "frame-ancestors 'self' ", else: "frame-ancestors 'none' " - - frame_ancestors = [frame_ancestors] ++ [get_csp_config(:frame_ancestors, options)] + frame_src = build_csp_field(:frame_src, options) + frame_ancestors = build_csp_field(:frame_ancestors, options) report = if report_uri, do: ["report-uri ", report_uri, " ; report-to csp-endpoint"] insecure = if scheme == "https", do: "upgrade-insecure-requests" @@ -162,9 +157,9 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do @spec get_csp_config(atom(), Keyword.t()) :: iodata() defp get_csp_config(type, options) do config_policy = Keyword.get(options, type, Config.get([:http_security, :csp_policy, type])) - front_end_analytics_policy = [Keyword.get(FrontEndAnalytics.csp(), type, [])] - global_search_policy = [Keyword.get(GlobalSearch.service().csp(), type, [])] - pictures_policy = [Keyword.get(Pictures.service().csp(), type, [])] + front_end_analytics_policy = Keyword.get(FrontEndAnalytics.csp(), type, []) + global_search_policy = Keyword.get(GlobalSearch.service().csp(), type, []) + pictures_policy = Keyword.get(Pictures.service().csp(), type, []) resource_providers = Config.get([Mobilizon.Service.ResourceProviders, :csp_policy, type], []) @@ -175,4 +170,21 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do " " ) end + + defp build_csp_field(type, options) do + csp_config = get_csp_config(type, options) + + csp_config = + if Config.get(:env) == :dev do + [csp_config] ++ ["'self'"] + else + if csp_config == "" do + ["'none'"] + else + [csp_config] + end + end + + Enum.join([type |> to_string() |> String.replace("_", "-")] ++ csp_config, " ") + end end diff --git a/test/web/plugs/http_security_plug_test.exs b/test/web/plugs/http_security_plug_test.exs index e36921fec..7b8a2ef7f 100644 --- a/test/web/plugs/http_security_plug_test.exs +++ b/test/web/plugs/http_security_plug_test.exs @@ -93,7 +93,7 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlugTest do [csp] = Conn.get_resp_header(conn, "content-security-policy") assert csp =~ - ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' 'sha256-[\w+\/=]*' example.com matomo.example.com\s+;/ + ~r/script-src 'self' 'unsafe-eval' 'sha256-[\w+\/=]*' 'sha256-[\w+\/=]*' example.com matomo.example.com;/ end end From 5078f890cea0080d46d397b8184abc4ab318fd87 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Fri, 4 Nov 2022 16:11:36 +0100 Subject: [PATCH 2/3] Add loading="lazy" to some images, except categories in viewport Signed-off-by: Thomas Citharel --- js/src/components/Categories/CategoryCard.vue | 4 +++- js/src/components/Home/CategoriesPreview.vue | 1 + js/src/components/Image/LazyImage.vue | 1 + 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/js/src/components/Categories/CategoryCard.vue b/js/src/components/Categories/CategoryCard.vue index d030ed88f..e3c10057a 100644 --- a/js/src/components/Categories/CategoryCard.vue +++ b/js/src/components/Categories/CategoryCard.vue @@ -29,7 +29,7 @@ width="384" height="384" alt="" - loading="lazy" + :loading="imageLazy ? 'lazy' : undefined" />

(), { withDetails: false, + imageLazy: true, } ); diff --git a/js/src/components/Home/CategoriesPreview.vue b/js/src/components/Home/CategoriesPreview.vue index 495272f4a..e75ccccc2 100644 --- a/js/src/components/Home/CategoriesPreview.vue +++ b/js/src/components/Home/CategoriesPreview.vue @@ -7,6 +7,7 @@ :key="category.key" :category="category" :with-details="false" + :imageLazy="false" /> From bc81b1830d23604d859ef1309d90e103324f52b4 Mon Sep 17 00:00:00 2001 From: Thomas Citharel Date: Fri, 4 Nov 2022 16:15:31 +0100 Subject: [PATCH 3/3] Add empty alt attribute to uploaded pictures (for now) Signed-off-by: Thomas Citharel --- js/src/components/TextEditor.vue | 1 + 1 file changed, 1 insertion(+) diff --git a/js/src/components/TextEditor.vue b/js/src/components/TextEditor.vue index 9a5b12abc..71b584fcd 100644 --- a/js/src/components/TextEditor.vue +++ b/js/src/components/TextEditor.vue @@ -428,6 +428,7 @@ uploadMediaDone(({ data }) => { .focus() .setImage({ src: data.uploadMedia.url, + alt: '', // eslint-disable-next-line @typescript-eslint/ban-ts-comment // @ts-ignore "data-media-id": data.uploadMedia.id,