From eaa59daa4c229bf47e30ac389563c82b11378e07 Mon Sep 17 00:00:00 2001 From: Mark Felder Date: Fri, 3 Jul 2020 17:06:20 -0500 Subject: [PATCH] Add Captcha endpoint to CSP headers when MediaProxy is enabled. Our CSP rules are lax when MediaProxy enabled, but lenient otherwise. This fixes broken captcha on instances not using MediaProxy. --- lib/pleroma/plugs/http_security_plug.ex | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 1420a9611..f7192ebfc 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -125,11 +125,19 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do if Config.get([Pleroma.Upload, :uploader]) == Pleroma.Uploaders.S3, do: URI.parse(Config.get([Pleroma.Uploaders.S3, :public_endpoint])).host + captcha_method = Config.get([Pleroma.Captcha, :method]) + + captcha_endpoint = + if Config.get([Pleroma.Captcha, :enabled]) && + captcha_method != "Pleroma.Captcha.Native", + do: Config.get([captcha_method, :endpoint]) + [] |> add_source(media_proxy_base_url) |> add_source(upload_base_url) |> add_source(s3_endpoint) |> add_source(media_proxy_whitelist) + |> add_source(captcha_endpoint) end defp add_source(iodata, nil), do: iodata -- 2.45.2