projects
/
akkoma
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Merge branch 'develop' into stable
[akkoma]
/
lib
/
pleroma
/
web
/
plugs
/
http_security_plug.ex
diff --git
a/lib/pleroma/web/plugs/http_security_plug.ex
b/lib/pleroma/web/plugs/http_security_plug.ex
index 5f0b775bea9e1025b28bdbc03111308743f7c02a..d7cff73436a83701ed02fbfe16b85174edea0265 100644
(file)
--- a/
lib/pleroma/web/plugs/http_security_plug.ex
+++ b/
lib/pleroma/web/plugs/http_security_plug.ex
@@
-8,6
+8,8
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
require Logger
require Logger
+ @mix_env Mix.env()
+
def init(opts), do: opts
def call(conn, _options) do
def init(opts), do: opts
def call(conn, _options) do
@@
-106,19
+108,21
@@
defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
connect_src =
if Config.get([:media_proxy, :enabled]) do
sources = build_csp_multimedia_source_list()
connect_src =
if Config.get([:media_proxy, :enabled]) do
sources = build_csp_multimedia_source_list()
- ["connect-src 'self'
blob:
", static_url, ?\s, websocket_url, ?\s, sources]
+ ["connect-src 'self' ", static_url, ?\s, websocket_url, ?\s, sources]
else
else
- ["connect-src 'self'
blob:
", static_url, ?\s, websocket_url]
+ ["connect-src 'self' ", static_url, ?\s, websocket_url]
end
end
- style_src = "style-src 'self' 'unsafe-inline'"
- font_src = "font-src 'self' data:"
+ style_src = "style-src 'self' '#{nonce_tag}'"
+ font_src = "font-src 'self'"
+
+ script_src = "script-src 'self' '#{nonce_tag}' "
script_src =
script_src =
- if
Config.get(:env)
== :dev do
- "script-src 'self' 'unsafe-eval' '
#{nonce_tag}
'"
+ if
@mix_env
== :dev do
+ "script-src 'self' 'unsafe-eval' '
unsafe-inline
'"
else
else
- "script-src 'self' '#{nonce_tag}'"
+ script_src
end
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
end
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]