- Quote posts are now considered as part of the same thread as the post they are quoting
- Simplified HTTP signature processing
- Rich media will now hard-exit after 5 seconds, to prevent timeline hangs
+- HTTP Content Security Policy is now far more strict to prevent any potential XSS/CSS leakages
### Fixed
- /api/v1/accounts/lookup will now respect restrict\_unauthenticated
connect_src =
if Config.get([:media_proxy, :enabled]) do
sources = build_csp_multimedia_source_list()
- ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
+ ["connect-src 'self' ", static_url, ?\s, websocket_url, ?\s, sources]
else
- ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
+ ["connect-src 'self' ", static_url, ?\s, websocket_url]
end
- style_src = "style-src 'self' 'unsafe-inline'"
- font_src = "font-src 'self' data:"
+ style_src = "style-src 'self' '#{nonce_tag}'"
+ font_src = "font-src 'self'"
- script_src =
- if Config.get(:env) == :dev do
- "script-src 'self' 'unsafe-eval' '#{nonce_tag}'"
- else
- "script-src 'self' '#{nonce_tag}'"
- end
+ script_src = "script-src 'self' '#{nonce_tag}'"
report = if report_uri, do: ["report-uri ", report_uri, ";report-to csp-endpoint"]
insecure = if scheme == "https", do: "upgrade-insecure-requests"
defp assert_connect_src(conn, url) do
conn = get(conn, "/api/v1/instance")
[csp] = Conn.get_resp_header(conn, "content-security-policy")
- assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
+ assert csp =~ ~r/connect-src 'self' [^;]+ #{url}/
end
test "it does not send CSP headers when disabled", %{conn: conn} do
projects / akkoma / commitdiff