logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma
commit: 39b766cc43c39dbff84cb498c4b4c764abdec9a0
parent: 07f8c79a698e7ed139dec4adcefc0ae1ba680815
Author: kaniini <nenolod@gmail.com>
Date:   Wed,  6 Mar 2019 13:22:02 +0000

Merge branch 'bugfix/connect-src-https' into 'develop'

Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src

See merge request pleroma/pleroma!900

Diffstat:

Mlib/pleroma/plugs/http_security_plug.ex9++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex @@ -34,13 +34,16 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do defp csp_string do scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme] - websocket_url = String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws") + static_url = Pleroma.Web.Endpoint.static_url() + websocket_url = String.replace(static_url, "http", "ws") + + connect_src = "connect-src 'self' #{static_url} #{websocket_url}" connect_src = if Mix.env() == :dev do - "connect-src 'self' http://localhost:3035/ " <> websocket_url + connect_src <> " http://localhost:3035/" else - "connect-src 'self' " <> websocket_url + connect_src end script_src =