From 62c9327500e3ff47c34acf8098e5d1f5138208b7 Mon Sep 17 00:00:00 2001 From: Thomas Sileo Date: Wed, 9 Nov 2022 21:26:43 +0100 Subject: [PATCH] Add support for setting a custom CSP --- app/config.py | 3 +++ app/main.py | 12 +++++++++--- docs/user_guide.md | 12 +++++++++++- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/app/config.py b/app/config.py index 27e7ffb..36ff073 100644 --- a/app/config.py +++ b/app/config.py @@ -109,6 +109,8 @@ class Config(pydantic.BaseModel): inbox_retention_days: int = 15 + custom_content_security_policy: str | None = None + # Config items to make tests easier sqlalchemy_database: str | None = None key_path: str | None = None @@ -165,6 +167,7 @@ if CONFIG.privacy_replace: BLOCKED_SERVERS = {blocked_server.hostname for blocked_server in CONFIG.blocked_servers} ALSO_KNOWN_AS = CONFIG.also_known_as +CUSTOM_CONTENT_SECURITY_POLICY = CONFIG.custom_content_security_policy INBOX_RETENTION_DAYS = CONFIG.inbox_retention_days CUSTOM_FOOTER = ( diff --git a/app/main.py b/app/main.py index 0829167..37e1ab8 100644 --- a/app/main.py +++ b/app/main.py @@ -137,9 +137,15 @@ class CustomMiddleware: headers["x-frame-options"] = "DENY" headers["permissions-policy"] = "interest-cohort=()" headers["content-security-policy"] = ( - f"default-src 'self'; " - f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; " - f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';" + ( + f"default-src 'self'; " + f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; " + f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';" + ) + if not config.CUSTOM_CONTENT_SECURITY_POLICY + else config.CUSTOM_CONTENT_SECURITY_POLICY.format( + HIGHLIGHT_CSS_HASH=HIGHLIGHT_CSS_HASH + ) ) if not DEBUG: headers["strict-transport-security"] = "max-age=63072000;" diff --git a/docs/user_guide.md b/docs/user_guide.md index 578bf08..51ad9c1 100644 --- a/docs/user_guide.md +++ b/docs/user_guide.md @@ -131,9 +131,19 @@ See `app/scss/main.scss` to see what variables can be overridden. If you'd like to customize your instance's theme beyond CSS, you can modify the app's HTML by placing templates in `data/templates` which overwrite the defaults in `app/templates`. +#### Custom Content Security Policy (CSP) + +You can override the default Content Security Policy by adding a line in `data/profile.toml`: + +```toml +custom_content_security_policy = "default-src 'self'; style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';" +``` + +This example will output the default CSP, note that `{HIGHLIGHT_CSS_HASH}` will be dynamically replaced by the correct value (the hash of the CSS needed for syntax highlighting). + #### Code highlighting theme -You can switch to one of the [styles supported by Pygments](https://pygments.org/styles/) by adding a line in `profile.toml`: +You can switch to one of the [styles supported by Pygments](https://pygments.org/styles/) by adding a line in `data/profile.toml`: ```toml code_highlighting_theme = "solarized-dark"