diff options
| -rw-r--r-- | changelog.d/3879.fix | 1 | ||||
| -rw-r--r-- | lib/pleroma/web/plugs/http_security_plug.ex | 16 |
2 files changed, 13 insertions, 4 deletions
diff --git a/changelog.d/3879.fix b/changelog.d/3879.fix new file mode 100644 index 000000000..7c58cc3c2 --- /dev/null +++ b/changelog.d/3879.fix @@ -0,0 +1 @@ +fix not being able to fetch flash file from remote instance
\ No newline at end of file diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 34895c8d5..a3166bc96 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -93,18 +93,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do img_src = "img-src 'self' data: blob:" media_src = "media-src 'self'" + connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] # Strict multimedia CSP enforcement only when MediaProxy is enabled - {img_src, media_src} = + {img_src, media_src, connect_src} = if Config.get([:media_proxy, :enabled]) && !Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do sources = build_csp_multimedia_source_list() - {[img_src, sources], [media_src, sources]} + { + [img_src, sources], + [media_src, sources], + [connect_src, sources] + } else - {[img_src, " https:"], [media_src, " https:"]} + { + [img_src, " https:"], + [media_src, " https:"], + [connect_src, " https:"] + } end - connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] connect_src = if Config.get(:env) == :dev do |