Add blob: to connect-src CSP

author Alex Gleason <alex@alexgleason.me>

Fri, 29 May 2020 15:33:31 +0000 (10:33 -0500)

committer Alex Gleason <alex@alexgleason.me>

Fri, 29 May 2020 16:08:17 +0000 (11:08 -0500)
author Alex Gleason <alex@alexgleason.me>
Fri, 29 May 2020 15:33:31 +0000 (10:33 -0500)
committer Alex Gleason <alex@alexgleason.me>
Fri, 29 May 2020 16:08:17 +0000 (11:08 -0500)
diff --git a/CHANGELOG.md b/CHANGELOG.md

index dabc2a85ab527ea72da819b20faf1993a2272538..839bf90ab984a3a09c8e54021dfd42a135228894 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -44,6 +44,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
  - Fix follower/blocks import when nicknames starts with @
  - Filtering of push notifications on activities from blocked domains
  - Resolving Peertube accounts with Webfinger
+- `blob:` urls not being allowed by connect-src CSP
  
  ## [Unreleased (patch)]
  
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex

index 2208d1d6ce7c5127867fc5b363ef7bb6a470903f..41e3a31f43a39c355b3e251e993f452b67395539 100644 (file)
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@@ -78,7 +78,7 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
          {img_src, media_src}
        end
  
-    connect_src = ["connect-src 'self' ", static_url, ?\s, websocket_url]
+    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
  
      connect_src =
        if Pleroma.Config.get(:env) == :dev do
author	Alex Gleason <alex@alexgleason.me>
	Fri, 29 May 2020 15:33:31 +0000 (10:33 -0500)
committer	Alex Gleason <alex@alexgleason.me>
	Fri, 29 May 2020 16:08:17 +0000 (11:08 -0500)
CHANGELOG.md		patch \| blob \| history
lib/pleroma/plugs/http_security_plug.ex		patch \| blob \| history