diff options
Diffstat (limited to 'src/chttpd/src/chttpd_util.erl')
-rw-r--r-- | src/chttpd/src/chttpd_util.erl | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/src/chttpd/src/chttpd_util.erl b/src/chttpd/src/chttpd_util.erl new file mode 100644 index 000000000..639299f5a --- /dev/null +++ b/src/chttpd/src/chttpd_util.erl @@ -0,0 +1,56 @@ +% Licensed under the Apache License, Version 2.0 (the "License"); you may not +% use this file except in compliance with the License. You may obtain a copy of +% the License at +% +% http://www.apache.org/licenses/LICENSE-2.0 +% +% Unless required by applicable law or agreed to in writing, software +% distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +% WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +% License for the specific language governing permissions and limitations under +% the License. + +-module(chttpd_util). + + +-export([ + maybe_add_csp_header/3 +]). + + +maybe_add_csp_header(Component, OriginalHeaders, DefaultHeaderValue) -> + Default = case Component of + "utils" -> true; + _Other -> false + end, + Enabled = config:get_boolean("csp", Component ++ "_enable", Default), + case Enabled of + true -> + HeaderValue = config:get("csp", Component ++ "_header_value", DefaultHeaderValue), + % As per https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#multiple_content_security_policies + % The top most CSP header defines the most open policy, + % subsequent CSP headers set by show/list functions can + % only further restrict the policy. + % + % Ours goes on top and we don’t have to worry about additional + % headers set by users. + [{"Content-Security-Policy", HeaderValue} | OriginalHeaders]; + false -> + % Fallback for old config vars + case Component of + "utils" -> + handle_legacy_config(OriginalHeaders, DefaultHeaderValue); + _ -> + OriginalHeaders + end + end. + +handle_legacy_config(OriginalHeaders, DefaultHeaderValue) -> + LegacyUtilsEnabled = config:get_boolean("csp", "enable", true), + case LegacyUtilsEnabled of + true -> + LegacyUtilsHeaderValue = config:get("csp", "header_value", DefaultHeaderValue), + [{"Content-Security-Policy", LegacyUtilsHeaderValue} | OriginalHeaders]; + false -> + OriginalHeaders + end. |