commit: c0d11da2d8edc57ef88163c06a19aad3e28d14db
parent cd20d15bb8d2f97f8dd0850993041f15865cdda9
Author: Henry Jameson <me@hjkos.com>
Date: Sun, 7 May 2023 15:16:30 +0300
conditionally set csp depnding on media-proxy state
Diffstat:
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -93,18 +93,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
img_src = "img-src 'self' data: blob:"
media_src = "media-src 'self'"
+ connect_src = ["connect-src 'self' blob:", static_url, ?\s, websocket_url]
# Strict multimedia CSP enforcement only when MediaProxy is enabled
- {img_src, media_src} =
+ {img_src, media_src, connect_src} =
if Config.get([:media_proxy, :enabled]) &&
!Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do
sources = build_csp_multimedia_source_list()
- {[img_src, sources], [media_src, sources]}
+ {
+ [img_src, sources],
+ [media_src, sources],
+ [connect_src, sources]
+ }
else
- {[img_src, " https:"], [media_src, " https:"]}
+ {
+ [img_src, " https:"],
+ [media_src, " https:"],
+ [connect_src, " https:"]
+ }
end
- connect_src = ["connect-src 'self' blob: https: ", static_url, ?\s, websocket_url]
connect_src =
if Config.get(:env) == :dev do
