commit: 0534463cef059d1af1e90007e13e27207876dd9f
parent: c71b3a1b124f5dba23ebe812289868aa4983d8a8
Author: kaniini <nenolod@gmail.com>
Date: Tue, 12 Feb 2019 22:41:46 +0000
Merge branch 'feature/csp_mastofe-dev' into 'develop'
Add CSP for mastofe development, remove secure-cookies in MIX_ENV=dev
See merge request pleroma/pleroma!820
Diffstat:
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/config/dev.exs b/config/dev.exs
@@ -16,7 +16,8 @@ config :pleroma, Pleroma.Web.Endpoint,
debug_errors: true,
code_reloader: true,
check_origin: false,
- watchers: []
+ watchers: [],
+ secure_cookie_flag: false
config :pleroma, Pleroma.Mailer, adapter: Swoosh.Adapters.Local
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex
@@ -34,6 +34,21 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
defp csp_string do
scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
+ websocket_url = String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws")
+
+ connect_src =
+ if Mix.env() == :dev do
+ "connect-src 'self' http://localhost:3035/ " <> websocket_url
+ else
+ "connect-src 'self' " <> websocket_url
+ end
+
+ script_src =
+ if Mix.env() == :dev do
+ "script-src 'self' 'unsafe-eval'"
+ else
+ "script-src 'self'"
+ end
[
"default-src 'none'",
@@ -43,9 +58,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
"media-src 'self' https:",
"style-src 'self' 'unsafe-inline'",
"font-src 'self'",
- "script-src 'self'",
- "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
"manifest-src 'self'",
+ connect_src,
+ script_src,
if scheme == "https" do
"upgrade-insecure-requests"
end
