From 1c699144d23aa4a86ff8b6ebef7d760ce9e3a4e2 Mon Sep 17 00:00:00 2001
From: Lain Soykaf <lain@lain.com>
Date: Mon, 27 May 2024 21:26:40 +0400
Subject: HttpSecurityPlug: Don't allow unsafe-eval by default

---
 config/config.exs | 3 ++-
 config/test.exs   | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

(limited to 'config')

diff --git a/config/config.exs b/config/config.exs
index 4752bbbde..f861daf04 100644
--- a/config/config.exs
+++ b/config/config.exs
@@ -519,7 +519,8 @@ config :pleroma, :http_security,
   sts: false,
   sts_max_age: 31_536_000,
   ct_max_age: 2_592_000,
-  referrer_policy: "same-origin"
+  referrer_policy: "same-origin",
+  allow_unsafe_eval: false
 
 config :cors_plug,
   max_age: 86_400,
diff --git a/config/test.exs b/config/test.exs
index 3345bb3a9..b5c9c6e4a 100644
--- a/config/test.exs
+++ b/config/test.exs
@@ -154,6 +154,7 @@ config :pleroma, Pleroma.Upload, config_impl: Pleroma.UnstubbedConfigMock
 config :pleroma, Pleroma.ScheduledActivity, config_impl: Pleroma.UnstubbedConfigMock
 config :pleroma, Pleroma.Web.RichMedia.Helpers, config_impl: Pleroma.StaticStubbedConfigMock
 config :pleroma, Pleroma.Uploaders.IPFS, config_impl: Pleroma.UnstubbedConfigMock
+config :pleroma, Pleroma.Web.Plugs.HTTPSecurityPlug, config_impl: Pleroma.UnstubbedConfigMock
 
 peer_module =
   if String.to_integer(System.otp_release()) >= 25 do
-- 
cgit v1.2.3