mirror of
https://akkoma.dev/AkkomaGang/akkoma.git
synced 2024-12-18 23:59:34 +00:00
Add media sources to connect-src if media proxy is enabled
This commit is contained in:
parent
50458a17dc
commit
ac0c00cdee
|
@ -104,14 +104,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
|
|||
{[img_src, " https:"], [media_src, " https:"]}
|
||||
end
|
||||
|
||||
connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
|
||||
|
||||
connect_src =
|
||||
if Config.get(:env) == :dev do
|
||||
[connect_src, " http://localhost:3035/"]
|
||||
else
|
||||
connect_src
|
||||
end
|
||||
connect_src = if Config.get([:media_proxy, :enabled]) do
|
||||
sources = build_csp_multimedia_source_list()
|
||||
["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
|
||||
else
|
||||
["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
|
||||
end
|
||||
|
||||
script_src =
|
||||
if Config.get(:env) == :dev do
|
||||
|
|
|
@ -100,12 +100,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
|
|||
url = "https://example.com"
|
||||
clear_config([:media_proxy, :base_url], url)
|
||||
assert_media_img_src(conn, url)
|
||||
assert_connect_src(conn, url)
|
||||
end
|
||||
|
||||
test "upload with base url", %{conn: conn} do
|
||||
url = "https://example2.com"
|
||||
clear_config([Pleroma.Upload, :base_url], url)
|
||||
assert_media_img_src(conn, url)
|
||||
assert_connect_src(conn, url)
|
||||
end
|
||||
|
||||
test "with S3 public endpoint", %{conn: conn} do
|
||||
|
@ -138,6 +140,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
|
|||
assert csp =~ "img-src 'self' data: blob: #{url};"
|
||||
end
|
||||
|
||||
defp assert_connect_src(conn, url) do
|
||||
conn = get(conn, "/api/v1/instance")
|
||||
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
||||
assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
|
||||
end
|
||||
|
||||
test "it does not send CSP headers when disabled", %{conn: conn} do
|
||||
clear_config([:http_security, :enabled], false)
|
||||
|
||||
|
|
Loading…
Reference in a new issue