forked from forks/microblog.pub
Add support for setting a custom CSP
This commit is contained in:
parent
a339ff93b1
commit
62c9327500
3 changed files with 23 additions and 4 deletions
|
@ -109,6 +109,8 @@ class Config(pydantic.BaseModel):
|
||||||
|
|
||||||
inbox_retention_days: int = 15
|
inbox_retention_days: int = 15
|
||||||
|
|
||||||
|
custom_content_security_policy: str | None = None
|
||||||
|
|
||||||
# Config items to make tests easier
|
# Config items to make tests easier
|
||||||
sqlalchemy_database: str | None = None
|
sqlalchemy_database: str | None = None
|
||||||
key_path: str | None = None
|
key_path: str | None = None
|
||||||
|
@ -165,6 +167,7 @@ if CONFIG.privacy_replace:
|
||||||
|
|
||||||
BLOCKED_SERVERS = {blocked_server.hostname for blocked_server in CONFIG.blocked_servers}
|
BLOCKED_SERVERS = {blocked_server.hostname for blocked_server in CONFIG.blocked_servers}
|
||||||
ALSO_KNOWN_AS = CONFIG.also_known_as
|
ALSO_KNOWN_AS = CONFIG.also_known_as
|
||||||
|
CUSTOM_CONTENT_SECURITY_POLICY = CONFIG.custom_content_security_policy
|
||||||
|
|
||||||
INBOX_RETENTION_DAYS = CONFIG.inbox_retention_days
|
INBOX_RETENTION_DAYS = CONFIG.inbox_retention_days
|
||||||
CUSTOM_FOOTER = (
|
CUSTOM_FOOTER = (
|
||||||
|
|
12
app/main.py
12
app/main.py
|
@ -137,9 +137,15 @@ class CustomMiddleware:
|
||||||
headers["x-frame-options"] = "DENY"
|
headers["x-frame-options"] = "DENY"
|
||||||
headers["permissions-policy"] = "interest-cohort=()"
|
headers["permissions-policy"] = "interest-cohort=()"
|
||||||
headers["content-security-policy"] = (
|
headers["content-security-policy"] = (
|
||||||
f"default-src 'self'; "
|
(
|
||||||
f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
|
f"default-src 'self'; "
|
||||||
f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
|
f"style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; "
|
||||||
|
f"frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
|
||||||
|
)
|
||||||
|
if not config.CUSTOM_CONTENT_SECURITY_POLICY
|
||||||
|
else config.CUSTOM_CONTENT_SECURITY_POLICY.format(
|
||||||
|
HIGHLIGHT_CSS_HASH=HIGHLIGHT_CSS_HASH
|
||||||
|
)
|
||||||
)
|
)
|
||||||
if not DEBUG:
|
if not DEBUG:
|
||||||
headers["strict-transport-security"] = "max-age=63072000;"
|
headers["strict-transport-security"] = "max-age=63072000;"
|
||||||
|
|
|
@ -131,9 +131,19 @@ See `app/scss/main.scss` to see what variables can be overridden.
|
||||||
|
|
||||||
If you'd like to customize your instance's theme beyond CSS, you can modify the app's HTML by placing templates in `data/templates` which overwrite the defaults in `app/templates`.
|
If you'd like to customize your instance's theme beyond CSS, you can modify the app's HTML by placing templates in `data/templates` which overwrite the defaults in `app/templates`.
|
||||||
|
|
||||||
|
#### Custom Content Security Policy (CSP)
|
||||||
|
|
||||||
|
You can override the default Content Security Policy by adding a line in `data/profile.toml`:
|
||||||
|
|
||||||
|
```toml
|
||||||
|
custom_content_security_policy = "default-src 'self'; style-src 'self' 'sha256-{HIGHLIGHT_CSS_HASH}'; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"
|
||||||
|
```
|
||||||
|
|
||||||
|
This example will output the default CSP, note that `{HIGHLIGHT_CSS_HASH}` will be dynamically replaced by the correct value (the hash of the CSS needed for syntax highlighting).
|
||||||
|
|
||||||
#### Code highlighting theme
|
#### Code highlighting theme
|
||||||
|
|
||||||
You can switch to one of the [styles supported by Pygments](https://pygments.org/styles/) by adding a line in `profile.toml`:
|
You can switch to one of the [styles supported by Pygments](https://pygments.org/styles/) by adding a line in `data/profile.toml`:
|
||||||
|
|
||||||
```toml
|
```toml
|
||||||
code_highlighting_theme = "solarized-dark"
|
code_highlighting_theme = "solarized-dark"
|
||||||
|
|
Loading…
Reference in a new issue