commit: 660d49227b951185d9218b787de70cc14f217417
parent: 219d2b3146ee72abc0bb8bd163c0ddcd986988fc
Author: rinpatch <rinpatch@sdf.org>
Date: Fri, 29 May 2020 19:26:54 +0000
Merge branch 'connect-src' into 'develop'
Add blob: to connect-src CSP, fixes #1827
Closes #1827
See merge request pleroma/pleroma!2608
Diffstat:
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -44,6 +44,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Fix follower/blocks import when nicknames starts with @
- Filtering of push notifications on activities from blocked domains
- Resolving Peertube accounts with Webfinger
+- `blob:` urls not being allowed by connect-src CSP
## [Unreleased (patch)]
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex
@@ -78,7 +78,7 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
{img_src, media_src}
end
- connect_src = ["connect-src 'self' ", static_url, ?\s, websocket_url]
+ connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
connect_src =
if Pleroma.Config.get(:env) == :dev do
