Permalink
Browse files

CSP support for the new S3 media hostnames Mastodon 2.1 generates

  • Loading branch information...
kstrauser committed Jan 5, 2018
1 parent 8c8bb84 commit 5d91a3454a10ba9d1954dc69228d8aeea0a4f973
Showing with 11 additions and 5 deletions.
  1. +8 −3 ansible/host_vars/mastodon
  2. +1 −1 ansible/roles/nginx/templates/mastodon.j2
  3. +2 −1 ansible/roles/nginx/vars/main.yml
@@ -42,6 +42,11 @@ certbot_email: admin@example.taco
# Secret key for backup S3 bucket
# backup_s3_secret_key: LoNgRaNdOmStRiNg

# S3 hostname for hosting media. If set, this host is added to the
# site's CSP headers for images and media.
# media_s3_hostname: example-taco-system.s3-us-west-2.amazonaws.com
# S3 hostname for hosting media. This is combined with media_s3_bucket
# to generate the full URLs to your stored files.
media_s3_hostname: s3-us-west-2.amazonaws.com

# S3 bucket for hosting media. If set, this is added to the site's CSP
# headers to tell visitors where it's safe for them to download images
# and media.
# media_s3_bucket: example-taco-system
@@ -30,7 +30,7 @@ server {
error_log /var/log/nginx/{{ mastodon_domain }}-error.log;

# Ref: https://content-security-policy.com
add_header Content-Security-Policy "default-src 'self'; img-src 'self'{{ media_s3_url }} data:; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://{{ mastodon_domain }}/; media-src 'self'{{ media_s3_url }}";
add_header Content-Security-Policy "default-src 'self'; img-src 'self'{{ media_s3_url_old }}{{ media_s3_url_new }} data:; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://{{ mastodon_domain }}/; media-src 'self'{{ media_s3_url_old }}{{ media_s3_url_new }}";
add_header Heartbleed "NO; see http://heartbleedheader.com";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload";
@@ -1,2 +1,3 @@
---
media_s3_url: "{% if media_s3_hostname is defined %} https://{{ media_s3_hostname }}/{% endif %}"
media_s3_url_old: "{% if media_s3_bucket is defined %} https://{{ media_s3_bucket }}.{{ media_s3_hostname }}/{% endif %}"
media_s3_url_new: "{% if media_s3_bucket is defined %} https://{{ media_s3_hostname }}/{{ media_s3_bucket }}/{% endif %}"

0 comments on commit 5d91a34

Please sign in to comment.