Web security configuration
All checks were successful
Lint / pnpm_install (pull_request) Successful in 1m59s
Publish Docker image / Build (pull_request) Successful in 4m52s
Test (production install and build) / production (20.16.0) (pull_request) Successful in 1m13s
Test (backend) / unit (20.16.0) (pull_request) Successful in 8m32s
Lint / lint (backend) (pull_request) Successful in 2m25s
Lint / lint (frontend) (pull_request) Successful in 2m22s
Lint / lint (frontend-embed) (pull_request) Successful in 2m9s
Lint / lint (frontend-shared) (pull_request) Successful in 2m19s
Test (backend) / e2e (20.16.0) (pull_request) Successful in 11m53s
Lint / lint (misskey-bubble-game) (pull_request) Successful in 2m32s
Lint / lint (misskey-js) (pull_request) Successful in 2m34s
Lint / lint (misskey-reversi) (pull_request) Successful in 2m37s
Lint / lint (sw) (pull_request) Successful in 2m15s
Lint / typecheck (backend) (pull_request) Successful in 2m8s
Lint / typecheck (misskey-js) (pull_request) Successful in 1m53s
Lint / typecheck (sw) (pull_request) Successful in 1m53s
All checks were successful
Lint / pnpm_install (pull_request) Successful in 1m59s
Publish Docker image / Build (pull_request) Successful in 4m52s
Test (production install and build) / production (20.16.0) (pull_request) Successful in 1m13s
Test (backend) / unit (20.16.0) (pull_request) Successful in 8m32s
Lint / lint (backend) (pull_request) Successful in 2m25s
Lint / lint (frontend) (pull_request) Successful in 2m22s
Lint / lint (frontend-embed) (pull_request) Successful in 2m9s
Lint / lint (frontend-shared) (pull_request) Successful in 2m19s
Test (backend) / e2e (20.16.0) (pull_request) Successful in 11m53s
Lint / lint (misskey-bubble-game) (pull_request) Successful in 2m32s
Lint / lint (misskey-js) (pull_request) Successful in 2m34s
Lint / lint (misskey-reversi) (pull_request) Successful in 2m37s
Lint / lint (sw) (pull_request) Successful in 2m15s
Lint / typecheck (backend) (pull_request) Successful in 2m8s
Lint / typecheck (misskey-js) (pull_request) Successful in 1m53s
Lint / typecheck (sw) (pull_request) Successful in 1m53s
Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
This commit is contained in:
parent
7748ab5dd0
commit
174c3ef096
8 changed files with 154 additions and 33 deletions
|
@ -168,8 +168,8 @@ id: 'aidx'
|
|||
# options:
|
||||
# dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0'
|
||||
|
||||
# ┌─────────────────────┐
|
||||
#───┘ Other configuration └─────────────────────────────────────
|
||||
# ┌──────────────┐
|
||||
#──┘ Web Security └──────────────────────────────────────
|
||||
|
||||
# Whether disable HSTS
|
||||
#disableHsts: true
|
||||
|
@ -180,6 +180,24 @@ id: 'aidx'
|
|||
# - https://hstspreload.org/
|
||||
#hstsPreload: false
|
||||
|
||||
# Enable additional security headers that reduce the risk of XSS attacks or privacy leaks.
|
||||
# browserSandboxing:
|
||||
# # Do not send the Referrer header to other domains. The default when browserSandboxing is missing is true.
|
||||
# strictOriginReferrer: true
|
||||
# csp:
|
||||
# # Do not send a CSP header. The default is a strict CSP header that prevents any form of external fetching or execution.
|
||||
# disable: false
|
||||
# # Merge additional directives into the CSP header. The default is an empty object.
|
||||
# # You may want to list your CDN or other trusted domains here.
|
||||
# # Media proxies are automatically added to the CSP header. This is an exception, things like Sentry will not be automatically added.
|
||||
# appendDirectives:
|
||||
# 'script-src':
|
||||
# - "'unsafe-eval'" # do not use this ... just an example
|
||||
# - 'https://example.com'
|
||||
|
||||
# ┌─────────────────────┐
|
||||
#───┘ Other configuration └─────────────────────────────────────
|
||||
|
||||
# Number of worker processes
|
||||
#clusterLimit: 1
|
||||
|
||||
|
|
|
@ -162,8 +162,8 @@ id: 'aidx'
|
|||
# options:
|
||||
# dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0'
|
||||
|
||||
# ┌─────────────────────┐
|
||||
#───┘ Other configuration └─────────────────────────────────────
|
||||
# ┌──────────────┐
|
||||
#──┘ Web Security └──────────────────────────────────────
|
||||
|
||||
# Whether disable HSTS
|
||||
#disableHsts: true
|
||||
|
@ -174,6 +174,24 @@ id: 'aidx'
|
|||
# - https://hstspreload.org/
|
||||
#hstsPreload: false
|
||||
|
||||
# Enable additional security headers that reduce the risk of XSS attacks or privacy leaks.
|
||||
# browserSandboxing:
|
||||
# # Do not send the Referrer header to other domains. The default when browserSandboxing is missing is true.
|
||||
# strictOriginReferrer: true
|
||||
# csp:
|
||||
# # Do not send a CSP header. The default is a strict CSP header that prevents any form of external fetching or execution.
|
||||
# disable: false
|
||||
# # Merge additional directives into the CSP header. The default is an empty object.
|
||||
# # You may want to list your CDN or other trusted domains here.
|
||||
# # Media proxies are automatically added to the CSP header. This is an exception, things like Sentry will not be automatically added.
|
||||
# appendDirectives:
|
||||
# 'script-src':
|
||||
# - "'unsafe-eval'" # do not use this ... just an example
|
||||
# - 'https://example.com'
|
||||
|
||||
# ┌─────────────────────┐
|
||||
#───┘ Other configuration └─────────────────────────────────────
|
||||
|
||||
# Number of worker processes
|
||||
#clusterLimit: 1
|
||||
|
||||
|
|
|
@ -244,8 +244,8 @@ id: 'aidx'
|
|||
# options:
|
||||
# dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0'
|
||||
|
||||
# ┌─────────────────────┐
|
||||
#───┘ Other configuration └─────────────────────────────────────
|
||||
# ┌──────────────┐
|
||||
#──┘ Web Security └──────────────────────────────────────
|
||||
|
||||
# Whether disable HSTS
|
||||
#disableHsts: true
|
||||
|
@ -256,6 +256,24 @@ id: 'aidx'
|
|||
# - https://hstspreload.org/
|
||||
#hstsPreload: false
|
||||
|
||||
# Enable additional security headers that reduce the risk of XSS attacks or privacy leaks.
|
||||
# browserSandboxing:
|
||||
# # Do not send the Referrer header to other domains. The default when browserSandboxing is missing is true.
|
||||
# strictOriginReferrer: true
|
||||
# csp:
|
||||
# # Do not send a CSP header. The default is a strict CSP header that prevents any form of external fetching or execution.
|
||||
# disable: false
|
||||
# # Merge additional directives into the CSP header. The default is an empty object.
|
||||
# # You may want to list your CDN or other trusted domains here.
|
||||
# # Media proxies are automatically added to the CSP header. This is an exception, things like Sentry will not be automatically added.
|
||||
# appendDirectives:
|
||||
# 'script-src':
|
||||
# - "'unsafe-eval'" # do not use this ... just an example
|
||||
# - 'https://example.com'
|
||||
|
||||
# ┌─────────────────────┐
|
||||
#───┘ Other configuration └─────────────────────────────────────
|
||||
|
||||
# Number of worker processes
|
||||
#clusterLimit: 1
|
||||
|
||||
|
|
|
@ -20,6 +20,18 @@ type RedisOptionsSource = Partial<RedisOptions> & {
|
|||
prefix?: string;
|
||||
};
|
||||
|
||||
type BrowserSandboxing = {
|
||||
// send Referrer-Policy: strict-origin
|
||||
strictOriginReferrer?: boolean;
|
||||
csp?: {
|
||||
disable?: boolean;
|
||||
|
||||
appendDirectives?: {
|
||||
[directive: string]: string | string[];
|
||||
}
|
||||
};
|
||||
};
|
||||
|
||||
/**
|
||||
* 設定ファイルの型
|
||||
*/
|
||||
|
@ -65,6 +77,8 @@ type Source = {
|
|||
|
||||
publishTarballInsteadOfProvideRepositoryUrl?: boolean;
|
||||
|
||||
browserSandboxing?: BrowserSandboxing;
|
||||
|
||||
setupPassword?: string;
|
||||
|
||||
proxy?: string;
|
||||
|
@ -155,7 +169,9 @@ export type Config = {
|
|||
proxyRemoteFiles: boolean | undefined;
|
||||
signToActivityPubGet: boolean | undefined;
|
||||
|
||||
cspPrerenderedContent: Map<string, CSPHashed>,
|
||||
browserSandboxing: BrowserSandboxing;
|
||||
|
||||
cspPrerenderedContent: Map<string, CSPHashed>;
|
||||
|
||||
version: string;
|
||||
gitDescribe: string;
|
||||
|
@ -252,6 +268,7 @@ export function loadConfig(): Config {
|
|||
version,
|
||||
gitCommit,
|
||||
gitDescribe,
|
||||
browserSandboxing: config.browserSandboxing ?? { strictOriginReferrer: true },
|
||||
publishTarballInsteadOfProvideRepositoryUrl: !!config.publishTarballInsteadOfProvideRepositoryUrl,
|
||||
setupPassword: config.setupPassword,
|
||||
url: url.origin,
|
||||
|
|
|
@ -89,14 +89,28 @@ export class ServerService implements OnApplicationShutdown {
|
|||
fastify.addHook('onRequest', makeHstsHook(host, preload));
|
||||
}
|
||||
|
||||
// Other Security/Privacy Headers
|
||||
fastify.addHook('onRequest', (_, reply, done) => {
|
||||
reply.header('x-content-type-options', 'nosniff');
|
||||
reply.header('permissions-policy', 'interest-cohort=()'); // Disable FLoC
|
||||
if (this.config.browserSandboxing.strictOriginReferrer) {
|
||||
reply.header('referrer-policy', 'strict-origin');
|
||||
}
|
||||
done();
|
||||
});
|
||||
|
||||
// CSP
|
||||
if (process.env.NODE_ENV === 'production') {
|
||||
if (process.env.NODE_ENV === 'production' && !this.config.browserSandboxing.csp?.disable) {
|
||||
console.debug('cspPrerenderedContent', this.config.cspPrerenderedContent);
|
||||
const generatedCSP = generateCSP(this.config.cspPrerenderedContent, {
|
||||
mediaProxy: this.config.mediaProxy ? `https://${new URL(this.config.mediaProxy).host}` : undefined,
|
||||
script_src: [
|
||||
`https://${new URL(this.config.url).host}/embed_vite/`,
|
||||
`https://${new URL(this.config.url).host}/vite/`,
|
||||
],
|
||||
});
|
||||
fastify.addHook('onRequest', (_, reply, done) => {
|
||||
reply.header('Content-Security-Policy', generatedCSP);
|
||||
reply.header('content-security-policy', generatedCSP);
|
||||
done();
|
||||
});
|
||||
}
|
||||
|
|
|
@ -13,6 +13,8 @@ export type CSPHashed = {
|
|||
|
||||
export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
|
||||
mediaProxy?: string,
|
||||
script_src?: string[],
|
||||
append?: { [key: string]: string | string[] },
|
||||
}) {
|
||||
const keys = Array.from(hashedMap.keys());
|
||||
const scripts = keys
|
||||
|
@ -22,7 +24,7 @@ export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
|
|||
.filter(name => name.endsWith('.css'))
|
||||
.map(name => `'${hashedMap.get(name)!.integrity}'`);
|
||||
|
||||
return ([
|
||||
const cpolicy = [
|
||||
['default-src', ['\'self\'']],
|
||||
['img-src',
|
||||
[
|
||||
|
@ -42,7 +44,11 @@ export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
|
|||
//
|
||||
// ref: https://github.com/shikijs/shiki/issues/671
|
||||
['style-src-attr', ['\'self\'', '\'unsafe-inline\'']],
|
||||
['script-src', ['\'self\'', '\'wasm-unsafe-eval\'', ...scripts]],
|
||||
['script-src', [
|
||||
...(options.script_src ? options.script_src : ['\'self\'']),
|
||||
'\'wasm-unsafe-eval\'',
|
||||
...scripts
|
||||
]],
|
||||
['object-src', ['\'none\'']],
|
||||
['base-uri', ['\'self\'']],
|
||||
['form-action', ['\'self\'']],
|
||||
|
@ -52,7 +58,23 @@ export function generateCSP(hashedMap: Map<string, CSPHashed>, options: {
|
|||
[
|
||||
['upgrade-insecure-requests', []],
|
||||
] : []),
|
||||
] as [string, string[]][])
|
||||
] as [string, string[]][];
|
||||
|
||||
if (options.append) {
|
||||
for (const [name, values] of Object.entries(options.append)) {
|
||||
if (!values) {
|
||||
continue;
|
||||
}
|
||||
const found = cpolicy.find(([n]) => n === name);
|
||||
if (found) {
|
||||
found[1].push(...(Array.isArray(values) ? values : [values]));
|
||||
} else {
|
||||
cpolicy.push([name, Array.isArray(values) ? values : [values]]);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return cpolicy
|
||||
.map(([name, values]) => {
|
||||
return `${name} ${values.join(' ')}`;
|
||||
}).join('; ');
|
||||
|
|
|
@ -248,14 +248,28 @@ export class ClientServerService {
|
|||
fastify.addHook('onRequest', makeHstsHook(host, preload));
|
||||
}
|
||||
|
||||
// Other Security/Privacy Headers
|
||||
fastify.addHook('onRequest', (_, reply, done) => {
|
||||
reply.header('x-content-type-options', 'nosniff');
|
||||
reply.header('permissions-policy', 'interest-cohort=()'); // Disable FLoC
|
||||
if (this.config.browserSandboxing.strictOriginReferrer ?? true) {
|
||||
reply.header('referrer-policy', 'strict-origin');
|
||||
}
|
||||
done();
|
||||
});
|
||||
|
||||
// CSP
|
||||
if (process.env.NODE_ENV === 'production') {
|
||||
console.debug('cspPrerenderedContent', this.config.cspPrerenderedContent);
|
||||
const generatedCSP = generateCSP(this.config.cspPrerenderedContent, {
|
||||
mediaProxy: this.config.mediaProxy ? `https://${new URL(this.config.mediaProxy).host}` : undefined,
|
||||
script_src: [
|
||||
`https://${new URL(this.config.url).host}/embed_vite/`,
|
||||
`https://${new URL(this.config.url).host}/vite/`,
|
||||
],
|
||||
});
|
||||
fastify.addHook('onRequest', (_, reply, done) => {
|
||||
reply.header('Content-Security-Policy', generatedCSP);
|
||||
reply.header('content-security-policy', generatedCSP);
|
||||
done();
|
||||
});
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue