From: Haelwenn (lanodan) Monnier Date: Mon, 26 Nov 2018 20:40:29 +0000 (+0100) Subject: Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https X-Git-Url: https://git.squeep.com/?a=commitdiff_plain;h=04daa0fa4473075c873aa733e4e2876c557b0444;p=akkoma Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https This fixes running mastofe with MIX_ENV=dev --- diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 84d6506e3..4c32653ea 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -29,6 +29,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do end defp csp_string do + protocol = Config.get([Pleroma.Web.Endpoint, :protocol]) + [ "default-src 'none'", "base-uri 'self'", @@ -40,7 +42,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do "script-src 'self'", "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"), "manifest-src 'self'", - "upgrade-insecure-requests" + if @protocol == "https" do + "upgrade-insecure-requests" + end ] |> Enum.join("; ") end