Conditional handling of http_security with Onion federation
Related: pleroma-meta#58
It seems that Onion federation requires disabling the HTTPSecurityPlug which gives a big ascii warning banner when you start the server:
HTTP Security is disabled. Please re-enable it to prevent users from attacking your instance and your users via malicious posts
When enabled, it would normally add these headers:
headers = [
{"x-xss-protection", "1; mode=block"},
{"x-permitted-cross-domain-policies", "none"},
{"x-frame-options", "DENY"},
{"x-content-type-options", "nosniff"},
{"referrer-policy", referrer_policy},
{"x-download-options", "noopen"},
{"content-security-policy", csp_string()},
{"permissions-policy", "interest-cohort=()"}
]
and:
merge_resp_headers(conn, [
{"strict-transport-security", "max-age=#{max_age_sts}; includeSubDomains"},
{"expect-ct", "enforce, max-age=#{max_age_ct}"}
])
This is nothing that can't just be added to the clearnet Nginx config, but surely there's a way to detect if the user is connected over Tor and disable it conditionally? As it stands, adding Onion support requires downgrading your clearnet config.