commit: bdb0c6e418b89b841496737c22ecef65cbe6150d
parent: 3370924b8ba87354249182694cfa3b598a66e6de
Author: kaniini <nenolod@gmail.com>
Date: Mon, 26 Nov 2018 22:24:21 +0000
Merge branch 'bugfix/csp-no-https' into 'develop'
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
See merge request pleroma/pleroma!475
Diffstat:
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex
@@ -29,6 +29,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
end
defp csp_string do
+ protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
+
[
"default-src 'none'",
"base-uri 'self'",
@@ -40,7 +42,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
"script-src 'self'",
"connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
"manifest-src 'self'",
- "upgrade-insecure-requests"
+ if @protocol == "https" do
+ "upgrade-insecure-requests"
+ end
]
|> Enum.join("; ")
end
