Add media sources to connect-src if media proxy is enabled

This commit is contained in:
FloatingGhost 2022-11-10 17:26:51 +00:00
parent 50458a17dc
commit ac0c00cdee
2 changed files with 14 additions and 8 deletions

View file

@ -104,13 +104,11 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
{[img_src, " https:"], [media_src, " https:"]} {[img_src, " https:"], [media_src, " https:"]}
end end
connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] connect_src = if Config.get([:media_proxy, :enabled]) do
sources = build_csp_multimedia_source_list()
connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
if Config.get(:env) == :dev do
[connect_src, " http://localhost:3035/"]
else else
connect_src ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
end end
script_src = script_src =

View file

@ -100,12 +100,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
url = "https://example.com" url = "https://example.com"
clear_config([:media_proxy, :base_url], url) clear_config([:media_proxy, :base_url], url)
assert_media_img_src(conn, url) assert_media_img_src(conn, url)
assert_connect_src(conn, url)
end end
test "upload with base url", %{conn: conn} do test "upload with base url", %{conn: conn} do
url = "https://example2.com" url = "https://example2.com"
clear_config([Pleroma.Upload, :base_url], url) clear_config([Pleroma.Upload, :base_url], url)
assert_media_img_src(conn, url) assert_media_img_src(conn, url)
assert_connect_src(conn, url)
end end
test "with S3 public endpoint", %{conn: conn} do test "with S3 public endpoint", %{conn: conn} do
@ -138,6 +140,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do
assert csp =~ "img-src 'self' data: blob: #{url};" assert csp =~ "img-src 'self' data: blob: #{url};"
end end
defp assert_connect_src(conn, url) do
conn = get(conn, "/api/v1/instance")
[csp] = Conn.get_resp_header(conn, "content-security-policy")
assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
end
test "it does not send CSP headers when disabled", %{conn: conn} do test "it does not send CSP headers when disabled", %{conn: conn} do
clear_config([:http_security, :enabled], false) clear_config([:http_security, :enabled], false)