{[img_src, " https:"], [media_src, " https:"]}
end
- connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
-
- connect_src =
- if Config.get(:env) == :dev do
- [connect_src, " http://localhost:3035/"]
- else
- connect_src
- end
+ connect_src = if Config.get([:media_proxy, :enabled]) do
+ sources = build_csp_multimedia_source_list()
+ ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
+ else
+ ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
+ end
script_src =
if Config.get(:env) == :dev do
url = "https://example.com"
clear_config([:media_proxy, :base_url], url)
assert_media_img_src(conn, url)
+ assert_connect_src(conn, url)
end
test "upload with base url", %{conn: conn} do
url = "https://example2.com"
clear_config([Pleroma.Upload, :base_url], url)
assert_media_img_src(conn, url)
+ assert_connect_src(conn, url)
end
test "with S3 public endpoint", %{conn: conn} do
assert csp =~ "img-src 'self' data: blob: #{url};"
end
+ defp assert_connect_src(conn, url) do
+ conn = get(conn, "/api/v1/instance")
+ [csp] = Conn.get_resp_header(conn, "content-security-policy")
+ assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
+ end
+
test "it does not send CSP headers when disabled", %{conn: conn} do
clear_config([:http_security, :enabled], false)
projects / akkoma / commitdiff