commit: 1e685c8302ee1935d076258833d7219321e3a0fd
parent b729a8b140306fd67817442bdde1299e05aca5b2
Author: Haelwenn <contact+git.pleroma.social@hacktivis.me>
Date: Wed, 16 Aug 2023 13:37:49 +0000
Merge branch 'csp-flash' into 'develop'
allow https: so that flash works across instances without need for media proxy
See merge request pleroma/pleroma!3879
Diffstat:
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/changelog.d/3879.fix b/changelog.d/3879.fix
@@ -0,0 +1 @@
+fix not being able to fetch flash file from remote instance
+\ No newline at end of file
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -93,18 +93,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
img_src = "img-src 'self' data: blob:"
media_src = "media-src 'self'"
+ connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
# Strict multimedia CSP enforcement only when MediaProxy is enabled
- {img_src, media_src} =
+ {img_src, media_src, connect_src} =
if Config.get([:media_proxy, :enabled]) &&
!Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do
sources = build_csp_multimedia_source_list()
- {[img_src, sources], [media_src, sources]}
+ {
+ [img_src, sources],
+ [media_src, sources],
+ [connect_src, sources]
+ }
else
- {[img_src, " https:"], [media_src, " https:"]}
+ {
+ [img_src, " https:"],
+ [media_src, " https:"],
+ [connect_src, " https:"]
+ }
end
- connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
connect_src =
if Config.get(:env) == :dev do
