feat: URL preview support
from upstream MR https://gitlab.com/famedly/conduit/-/merge_requests/347 with the following changes (so far): - remove hardcoded list of allowed hosts (strongly disagree with this, even if it is desired, it should not be harcoded) - add more allow config options for granularity via URL contains, host contains, and domain is (explicit match) for security - warn if a user is allowing all URLs to be previewed for security reasons - replace an expect with proper error handling - bump webpage to 2.0 - improved code style a tad Co-authored-by: rooot <hey@rooot.gay> Signed-off-by: rooot <hey@rooot.gay> Signed-off-by: strawberry <strawberry@puppygock.gay>
This commit is contained in:
Reiner Herrmann
June
parent
6f26be1c6e
commit
c0dd5b1cc2
13 changed files with 821 additions and 41 deletions
|
|
@ -113,6 +113,8 @@ ip_range_denylist = [
|
|||
"fec0::/10",
|
||||
]
|
||||
|
||||
|
||||
|
||||
### Moderation / Privacy / Security
|
||||
|
||||
# Set to true to allow user type "guest" registrations. Element attempts to register guest users automatically.
|
||||
|
|
@ -163,6 +165,21 @@ allow_public_room_directory_without_auth = false
|
|||
# If federation is disabled entirely (`allow_federation`), this is inherently false. For privacy, this is best disabled.
|
||||
allow_device_name_federation = false
|
||||
|
||||
# Vector list of domains allowed to send requests to for URL previews. Defaults to none.
|
||||
# Note: this is a *contains* match, not an explicit match. Putting "google.com" will match "https://google.com" and "http://mymaliciousdomainexamplegoogle.com"
|
||||
# Setting this to "*" will allow all URL previews. Please note that this opens up significant attack surface to your server, you are expected to be aware of the risks by doing so.
|
||||
url_preview_domain_contains_allowlist = []
|
||||
|
||||
# Vector list of explicit domains allowed to send requests to for URL previews. Defaults to none.
|
||||
# Note: This is an *explicit* match, not a ccontains match. Putting "google.com" will match "https://google.com", "http://google.com", but not "https://mymaliciousdomainexamplegoogle.com"
|
||||
# Setting this to "*" will allow all URL previews. Please note that this opens up significant attack surface to your server, you are expected to be aware of the risks by doing so.
|
||||
url_preview_domain_explicit_allowlist = []
|
||||
|
||||
# Vector list of URLs allowed to send requests to for URL previews. Defaults to none.
|
||||
# Note that this is a *contains* match, not an explicit match. Putting "https://google.com" will match "https://google.com/" and "https://google.com/url?q=https://mymaliciousdomainexample.com"
|
||||
# Setting this to "*" will allow all URL previews. Please note that this opens up significant attack surface to your server, you are expected to be aware of the risks by doing so.
|
||||
url_preview_url_contains_allowlist = []
|
||||
|
||||
|
||||
|
||||
### Misc
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue