Add WEBAPP_SKIP_SUBRESOURCE_INTEGRITY setting to remove integrity att…

…ributes on link and script tags
mirego · Dec 2, 2020 · 8f1e878 · 8f1e878
1 parent 5e965d8
commit 8f1e878
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -123,13 +123,14 @@ Accent provides a default value for every required environment variable. This me
 
 ### Production setup
 
-| Variable                                  | Default | Description                                                                                                           |
-| ----------------------------------------- | ------- | --------------------------------------------------------------------------------------------------------------------- |
-| `RESTRICTED_PROJECT_CREATOR_EMAIL_DOMAIN` | _none_  | If specified, only authenticated users from this domain name will be able to create new projects.                     |
-| `FORCE_SSL`                               | _false_ | If the app should always be served by https (and wss for websocket)                                                   |
-| `SENTRY_DSN`                              | _none_  | The _secret_ Sentry DSN used to collect API runtime errors                                                            |
-| `WEBAPP_SENTRY_DSN`                       | _none_  | The _public_ Sentry DSN used to collect Webapp runtime errors                                                         |
-| `CANONICAL_URL`                           | _none_  | The URL of the app. Used in sent emails and to redirect from external services to the app in the authentication flow. |
+| Variable                                  | Default | Description                                                                                                                |
+| ----------------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------- |
+| `RESTRICTED_PROJECT_CREATOR_EMAIL_DOMAIN` | _none_  | If specified, only authenticated users from this domain name will be able to create new projects.                          |
+| `FORCE_SSL`                               | _false_ | If the app should always be served by https (and wss for websocket)                                                        |
+| `SENTRY_DSN`                              | _none_  | The _secret_ Sentry DSN used to collect API runtime errors                                                                 |
+| `WEBAPP_SENTRY_DSN`                       | _none_  | The _public_ Sentry DSN used to collect Webapp runtime errors                                                              |
+| `CANONICAL_URL`                           | _none_  | The URL of the app. Used in sent emails and to redirect from external services to the app in the authentication flow.      |
+| `WEBAPP_SKIP_SUBRESOURCE_INTEGRITY`       | _none_  | Remove integrity attributes on link and script tag. Useful when using a proxy that compress resources before serving them. |
 
 ### Authentication setup
 

diff --git a/config/config.exs b/config/config.exs
@@ -14,8 +14,6 @@ config :accent, Accent.Endpoint,
 
 config :accent, hook_github_file_server: Accent.Hook.Inbounds.GitHub.FileServer.HTTP
 
-config :accent, Accent.WebappView, path: "priv/static/webapp/index.html"
-
 config :accent, Oban, queues: [hook: 10], repo: Accent.Repo
 
 config :absinthe, :schema, Accent.GraphQL.Schema

diff --git a/config/runtime.exs b/config/runtime.exs
@@ -82,7 +82,10 @@ config :ueberauth, Ueberauth.Strategy.Discord.OAuth,
   client_id: System.get_env("DISCORD_CLIENT_ID"),
   client_secret: System.get_env("DISCORD_CLIENT_SECRET")
 
-config :accent, Accent.WebappView, sentry_dsn: System.get_env("WEBAPP_SENTRY_DSN") || ""
+config :accent, Accent.WebappView,
+  path: "priv/static/webapp/index.html",
+  sentry_dsn: System.get_env("WEBAPP_SENTRY_DSN") || "",
+  skip_subresource_integrity: System.get_env("WEBAPP_SKIP_SUBRESOURCE_INTEGRITY") || false
 
 config :sentry,
   dsn: System.get_env("SENTRY_DSN"),

diff --git a/lib/web/views/webapp_view.ex b/lib/web/views/webapp_view.ex
@@ -1,4 +1,6 @@
 defmodule Accent.WebappView do
+  @subresource_integrity ~r/ integrity="(sha256-.+)?"/
+
   def render do
     :accent
     |> Application.app_dir(path())
@@ -10,6 +12,7 @@ defmodule Accent.WebappView do
     file
     |> String.replace("__WEBAPP_SENTRY_DSN__", sentry_dsn())
     |> String.replace("__VERSION__", version())
+    |> remove_subresource_integrity(skip_subresource_integrity())
   end
 
   defp version do
@@ -23,4 +26,14 @@ defmodule Accent.WebappView do
   defp path do
     Application.get_env(:accent, __MODULE__)[:path]
   end
+
+  defp skip_subresource_integrity do
+    Application.get_env(:accent, __MODULE__)[:skip_subresource_integrity]
+  end
+
+  defp remove_subresource_integrity(content, false), do: content
+
+  defp remove_subresource_integrity(content, _) do
+    String.replace(content, @subresource_integrity, "")
+  end
 end