Schema: support for X-Content-Type-Options

as `management.headers.content_type_options`
2022-07-25 10:19:56 +04:00 · 2022-07-25 10:19:56 +04:00 · 02e1f65d97
parent 7e655b08d9
commit 02e1f65d97
2 changed files with 76 additions and 1 deletions
--- a/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
+++ b/deps/rabbitmq_management/priv/schema/rabbitmq_management.schema
@ -307,7 +307,7 @@ end}.


 %%
-%% CORS
+%% CORS (https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
 %%

 {mapping, "management.cors.allow_origins", "rabbitmq_management.cors_allow_origins", [
@ -371,6 +371,50 @@ fun(Conf) ->
    end
 end}.

+%% X-Content-Type-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)
+
+{mapping, "management.headers.content_type_options", "rabbitmq_management.headers.content_type_options", [
+    {datatype, string}
+]}.
+
+{translation, "rabbitmq_management.headers.content_type_options",
+fun(Conf) ->
+    case cuttlefish:conf_get("management.headers.content_type_options", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+%% X-XSS-Protection (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)
+
+{mapping, "management.headers.xss_protection", "rabbitmq_management.headers.xss_protection", [
+    {datatype, string}
+]}.
+
+{translation, "rabbitmq_management.headers.xss_protection",
+fun(Conf) ->
+    case cuttlefish:conf_get("management.headers.xss_protection", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+
+%% X-Frame-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)
+
+{mapping, "management.headers.frame_options", "rabbitmq_management.headers.frame_options", [
+    {datatype, string}
+]}.
+
+{translation, "rabbitmq_management.headers.frame_options",
+fun(Conf) ->
+    case cuttlefish:conf_get("management.headers.content_type_options", Conf, undefined) of
+        undefined -> cuttlefish:unset();
+        Value     -> Value
+    end
+end}.
+
+
 %% OAuth 2/SSO access only

 {mapping, "management.disable_basic_auth", "rabbitmq_management.disable_basic_auth",
--- a/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets
+++ b/deps/rabbitmq_management/test/config_schema_SUITE_data/rabbitmq_management.snippets
@ -404,6 +404,37 @@
  ], [rabbitmq_management]
 },

+ %%
+ %% X-Content-Type-Options
+ %%
+
+ {headers_content_type_options_case1,
+  "management.headers.content_type_options = nosniff",
+  [
+   {rabbitmq_management, [
+                          {headers, [
+                            {content_type_options, "nosniff"}
+                          ]}
+                         ]}
+  ], [rabbitmq_management]
+ },
+
+ {csp_and_hsts_and_content_type_options_combined,
+  "management.csp.policy = default-src 'self' *.mailsite.com; img-src *
+   management.hsts.policy = max-age=31536000; includeSubDomains
+   management.headers.content_type_options = nosniff",
+  [
+   {rabbitmq_management, [
+                          {content_security_policy, "default-src 'self' *.mailsite.com; img-src *"},
+                          {strict_transport_security, "max-age=31536000; includeSubDomains"},
+
+                          {headers, [
+                            {content_type_options, "nosniff"}
+                          ]}
+                         ]}
+  ], [rabbitmq_management]
+ },
+

 %%
 %% Legacy listener configuration