gotosocial/internal/middleware/extraheaders.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package middleware

import (
	"codeberg.org/gruf/go-debug"
	"github.com/gin-gonic/gin"
	"github.com/superseriousbusiness/gotosocial/internal/config"
)

// ExtraHeaders returns a new gin middleware which adds various extra headers to the response.
func ExtraHeaders() gin.HandlerFunc {
	csp := BuildContentSecurityPolicy()

	return func(c *gin.Context) {
		// Inform all callers which server implementation this is.
		c.Header("Server", "gotosocial")

		// Prevent google chrome cohort tracking. Originally this was referred
		// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says
		// that interest-cohort will also block Topics (as of 2022-Nov).
		//
		// See: https://smartframe.io/blog/google-topics-api-everything-you-need-to-know
		//
		// See: https://github.com/patcg-individual-drafts/topics
		c.Header("Permissions-Policy", "browsing-topics=()")

		// Inform the browser we only load
		// CSS/JS/media using the given policy.
		c.Header("Content-Security-Policy", csp)
	}
}

func BuildContentSecurityPolicy() string {
	// Start with restrictive policy.
	policy := "default-src 'self'"

	if debug.DEBUG {
		// Debug is enabled, allow
		// serving things from localhost
		// as well (regardless of port).
		policy += " localhost:* ws://localhost:*"
	}

	// Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src
	policy += "; object-src 'none'"

	s3Endpoint := config.GetStorageS3Endpoint()
	if s3Endpoint == "" || config.GetStorageS3Proxy() {
		// S3 not configured or in proxy mode, just allow images from self and blob:
		policy += "; img-src 'self' blob:"
		return policy
	}

	// S3 is on and in non-proxy mode, so we need to add the S3 host to
	// the policy to allow images and video to be pulled from there too.

	// If secure is false,
	// use 'http' scheme.
	scheme := "https"
	if !config.GetStorageS3UseSSL() {
		scheme = "http"
	}

	// Construct endpoint URL.
	s3EndpointURLStr := scheme + "://" + s3Endpoint

	// When object storage is in use in non-proxied mode, GtS still serves some
	// assets itself like the logo, so keep 'self' in there. That should also
	// handle any redirects from the fileserver to object storage.

	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
	policy += "; img-src 'self' blob: " + s3EndpointURLStr

	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
	policy += "; media-src 'self' " + s3EndpointURLStr

	return policy
}
[chore] Improve copyright header handling (#1608) * [chore] Remove years from all license headers Years or year ranges aren't required in license headers. Many projects have removed them in recent years and it avoids a bit of yearly toil. In many cases our copyright claim was also a bit dodgy since we added the 2021-2023 header to files created after 2021 but you can't claim copyright into the past that way. * [chore] Add license header check This ensures a license header is always added to any new file. This avoids maintainers/reviewers needing to remember to check for and ask for it in case a contribution doesn't include it. * [chore] Add missing license headers * [chore] Further updates to license header * Use the more common // indentend comment format * Remove the hack we had for the linter now that we use the // format * Add SPDX license identifier 2023-03-12 15:00:57 +00:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 19:38:03 +01:00
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 12:10:50 +00:00			`package middleware`
Inbox post (#22) Inbox POST from federated servers now working for statuses and follow requests. Follow request client API added. Start work on federating outgoing messages. Other fixes and changes/tidying up. 2021-05-15 10:58:11 +01:00
[feature] Set Content-Security-Policy header (#2095) This adds the CSP header with a policy of only loading from the same domain. We don't make use of external media, CSS, JS, fonts, so we don't ever need external data loaded in our context. When building a DEBUG build, the policy gets extended to include localhost:*, i.e localhost on any port. This keeps the live-reloading flow for JS development working. localhost and 127.0.0.1 are considered to be the same so mixing and matching those doesn't result in a CSP violation. 2023-08-11 12:20:56 +01:00			`import (`
			`"codeberg.org/gruf/go-debug"`
			`"github.com/gin-gonic/gin"`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00			`"github.com/superseriousbusiness/gotosocial/internal/config"`
[feature] Set Content-Security-Policy header (#2095) This adds the CSP header with a policy of only loading from the same domain. We don't make use of external media, CSS, JS, fonts, so we don't ever need external data loaded in our context. When building a DEBUG build, the policy gets extended to include localhost:*, i.e localhost on any port. This keeps the live-reloading flow for JS development working. localhost and 127.0.0.1 are considered to be the same so mixing and matching those doesn't result in a CSP violation. 2023-08-11 12:20:56 +01:00			`)`
Inbox post (#22) Inbox POST from federated servers now working for statuses and follow requests. Follow request client API added. Start work on federating outgoing messages. Other fixes and changes/tidying up. 2021-05-15 10:58:11 +01:00
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 12:10:50 +00:00			`// ExtraHeaders returns a new gin middleware which adds various extra headers to the response.`
			`func ExtraHeaders() gin.HandlerFunc {`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00			`csp := BuildContentSecurityPolicy()`

[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 12:10:50 +00:00			`return func(c *gin.Context) {`
			`// Inform all callers which server implementation this is.`
			`c.Header("Server", "gotosocial")`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 12:10:50 +00:00			`// Prevent google chrome cohort tracking. Originally this was referred`
			`// to as FlocBlock. Floc was replaced by Topics in 2022 and the spec says`
			`// that interest-cohort will also block Topics (as of 2022-Nov).`
			`//`
			`// See: https://smartframe.io/blog/google-topics-api-everything-you-need-to-know`
			`//`
			`// See: https://github.com/patcg-individual-drafts/topics`
			`c.Header("Permissions-Policy", "browsing-topics=()")`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00
			`// Inform the browser we only load`
			`// CSS/JS/media using the given policy.`
			`c.Header("Content-Security-Policy", csp)`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 12:10:50 +00:00			`}`
Inbox post (#22) Inbox POST from federated servers now working for statuses and follow requests. Follow request client API added. Start work on federating outgoing messages. Other fixes and changes/tidying up. 2021-05-15 10:58:11 +01:00			`}`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00
			`func BuildContentSecurityPolicy() string {`
			`// Start with restrictive policy.`
			`policy := "default-src 'self'"`

			`if debug.DEBUG {`
			`// Debug is enabled, allow`
			`// serving things from localhost`
			`// as well (regardless of port).`
[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109) * update CSP header for blob images (upload preview) and dev livereload websocket * update csp for s3, update csp tests 2023-08-14 11:30:09 +01:00			`policy += " localhost:* ws://localhost:*"`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00			`}`

[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109) * update CSP header for blob images (upload preview) and dev livereload websocket * update csp for s3, update csp tests 2023-08-14 11:30:09 +01:00			`// Disallow object-src as recommended https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src`
			`policy += "; object-src 'none'"`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00
[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109) * update CSP header for blob images (upload preview) and dev livereload websocket * update csp for s3, update csp tests 2023-08-14 11:30:09 +01:00			`s3Endpoint := config.GetStorageS3Endpoint()`
			`if s3Endpoint == "" \|\| config.GetStorageS3Proxy() {`
			`// S3 not configured or in proxy mode, just allow images from self and blob:`
			`policy += "; img-src 'self' blob:"`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00			`return policy`
			`}`

			`// S3 is on and in non-proxy mode, so we need to add the S3 host to`
			`// the policy to allow images and video to be pulled from there too.`

			`// If secure is false,`
			`// use 'http' scheme.`
			`scheme := "https"`
			`if !config.GetStorageS3UseSSL() {`
			`scheme = "http"`
			`}`

			`// Construct endpoint URL.`
			`s3EndpointURLStr := scheme + "://" + s3Endpoint`

[bugfix] CSP policy fixes for S3/object storage (#2104) * [bugfix] CSP policy fixes for S3 in non-proxied mode * It should be img-src * In both img-src and media-src we still need to include 'self' 2023-08-12 11:21:48 +01:00			`// When object storage is in use in non-proxied mode, GtS still serves some`
			`// assets itself like the logo, so keep 'self' in there. That should also`
			`// handle any redirects from the fileserver to object storage.`

[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00			`// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src`
[fix] Update CSP header for blob images (upload preview) and dev livereload (#2109) * update CSP header for blob images (upload preview) and dev livereload websocket * update csp for s3, update csp tests 2023-08-14 11:30:09 +01:00			`policy += "; img-src 'self' blob: " + s3EndpointURLStr`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00
			`// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src`
[bugfix] CSP policy fixes for S3/object storage (#2104) * [bugfix] CSP policy fixes for S3 in non-proxied mode * It should be img-src * In both img-src and media-src we still need to include 'self' 2023-08-12 11:21:48 +01:00			`policy += "; media-src 'self' " + s3EndpointURLStr`
[bugfix] Add s3 endpoint as image-src and media-src for CSP (#2103) * [bugfix] Add s3 endpoint as image-src and media-src for CSP * use https if secure * reorder comment 2023-08-11 16:49:17 +01:00
			`return policy`
			`}`