mirror of
https://git.pleroma.social/pleroma/pleroma.git
synced 2024-12-23 00:26:30 +00:00
Merge branch 'feature/csp_mastofe-dev' into 'develop'
Add CSP for mastofe development, remove secure-cookies in MIX_ENV=dev See merge request pleroma/pleroma!820
This commit is contained in:
commit
0534463cef
2 changed files with 19 additions and 3 deletions
|
@ -16,7 +16,8 @@ config :pleroma, Pleroma.Web.Endpoint,
|
|||
debug_errors: true,
|
||||
code_reloader: true,
|
||||
check_origin: false,
|
||||
watchers: []
|
||||
watchers: [],
|
||||
secure_cookie_flag: false
|
||||
|
||||
config :pleroma, Pleroma.Mailer, adapter: Swoosh.Adapters.Local
|
||||
|
||||
|
|
|
@ -34,6 +34,21 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
|
|||
|
||||
defp csp_string do
|
||||
scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
|
||||
websocket_url = String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws")
|
||||
|
||||
connect_src =
|
||||
if Mix.env() == :dev do
|
||||
"connect-src 'self' http://localhost:3035/ " <> websocket_url
|
||||
else
|
||||
"connect-src 'self' " <> websocket_url
|
||||
end
|
||||
|
||||
script_src =
|
||||
if Mix.env() == :dev do
|
||||
"script-src 'self' 'unsafe-eval'"
|
||||
else
|
||||
"script-src 'self'"
|
||||
end
|
||||
|
||||
[
|
||||
"default-src 'none'",
|
||||
|
@ -43,9 +58,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
|
|||
"media-src 'self' https:",
|
||||
"style-src 'self' 'unsafe-inline'",
|
||||
"font-src 'self'",
|
||||
"script-src 'self'",
|
||||
"connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
|
||||
"manifest-src 'self'",
|
||||
connect_src,
|
||||
script_src,
|
||||
if scheme == "https" do
|
||||
"upgrade-insecure-requests"
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue