From 04daa0fa4473075c873aa733e4e2876c557b0444 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Mon, 26 Nov 2018 21:40:29 +0100 Subject: [PATCH] Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https This fixes running mastofe with MIX_ENV=dev --- lib/pleroma/plugs/http_security_plug.ex | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 84d6506e3..4c32653ea 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -29,6 +29,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do end defp csp_string do + protocol = Config.get([Pleroma.Web.Endpoint, :protocol]) + [ "default-src 'none'", "base-uri 'self'", @@ -40,7 +42,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do "script-src 'self'", "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"), "manifest-src 'self'", - "upgrade-insecure-requests" + if @protocol == "https" do + "upgrade-insecure-requests" + end ] |> Enum.join("; ") end -- 2.45.2