mod_base: more restrictive CSP header in controller_file (0.x) (#3108)

* mod_base: more restrictive CSP header in controller_file (0.x) * Remove colon * Remove colon * Fix CSP for video and audio.
zotonic · Aug 30, 2022 · d1e8ed7 · d1e8ed7
1 parent e190423
commit d1e8ed7
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/modules/mod_base/controllers/controller_file.erl b/modules/mod_base/controllers/controller_file.erl
@@ -174,18 +174,25 @@ is_public([Id|T], Context, _Answer) ->
 %% @doc Files that are uploaded get a strict content-security-policy.
 %%      Controlled files from the file system are not restricted.
 set_content_policy(#z_file_info{ mime = Mime } = Info, ReqData) ->
+    IsPlayerNeeded = is_player_needed(Mime),
     case is_resource(Info) of
-        true when Mime =:= <<"application/pdf">> ->
-            RD1 = wrq:set_resp_header("Content-Security-Policy", "object-src 'self'; plugin-types application/pdf", ReqData),
-            wrq:set_resp_header("X-Content-Security-Policy", "plugin-types: application/pdf", RD1);
+        true when IsPlayerNeeded ->
+            RD1 = wrq:set_resp_header("Content-Security-Policy", "default-src 'none'; media-src 'self'; object-src 'self'", ReqData),
+            wrq:set_resp_header("X-Content-Security-Policy", "default-src 'none'; media-src 'self'; object-src 'self'; plugin-types: application/pdf", RD1);
         true ->
             % Do not set the IE11 X-CSP with sandbox as that disables file downloading
             % https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox
-            wrq:set_resp_header("Content-Security-Policy", "sandbox", ReqData);
+            RD1 = wrq:set_resp_header("Content-Security-Policy", "default-src 'none'; sandbox", ReqData),
+            wrq:set_resp_header("X-Content-Security-Policy", "default-src 'none'", RD1);
         false ->
             ReqData
     end.
 
+is_player_needed(<<"application/pdf">>) -> true;
+is_player_needed(<<"video/", _/binary>>) -> true;
+is_player_needed(<<"audio/", _/binary>>) -> true;
+is_player_needed(_) -> false.
+
 %% @doc Check if the served file originated from an user-upload (ie. it is a resource)
 is_resource( #z_file_info{ acls = Acls }) ->
     lists:any(fun is_integer/1, Acls).