From ac0c00cdee239e6bc37c0df2bfdb9f0ec1d24606 Mon Sep 17 00:00:00 2001 From: FloatingGhost Date: Thu, 10 Nov 2022 17:26:51 +0000 Subject: [PATCH] Add media sources to connect-src if media proxy is enabled --- lib/pleroma/web/plugs/http_security_plug.ex | 14 ++++++-------- test/pleroma/web/plugs/http_security_plug_test.exs | 8 ++++++++ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex index 3e8e931d1..43b075447 100644 --- a/lib/pleroma/web/plugs/http_security_plug.ex +++ b/lib/pleroma/web/plugs/http_security_plug.ex @@ -104,14 +104,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do {[img_src, " https:"], [media_src, " https:"]} end - connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] - - connect_src = - if Config.get(:env) == :dev do - [connect_src, " http://localhost:3035/"] - else - connect_src - end + connect_src = if Config.get([:media_proxy, :enabled]) do + sources = build_csp_multimedia_source_list() + ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources] + else + ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] + end script_src = if Config.get(:env) == :dev do diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs index eb94cd665..7f85f4a11 100644 --- a/test/pleroma/web/plugs/http_security_plug_test.exs +++ b/test/pleroma/web/plugs/http_security_plug_test.exs @@ -100,12 +100,14 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do url = "https://example.com" clear_config([:media_proxy, :base_url], url) assert_media_img_src(conn, url) + assert_connect_src(conn, url) end test "upload with base url", %{conn: conn} do url = "https://example2.com" clear_config([Pleroma.Upload, :base_url], url) assert_media_img_src(conn, url) + assert_connect_src(conn, url) end test "with S3 public endpoint", %{conn: conn} do @@ -138,6 +140,12 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlugTest do assert csp =~ "img-src 'self' data: blob: #{url};" end + defp assert_connect_src(conn, url) do + conn = get(conn, "/api/v1/instance") + [csp] = Conn.get_resp_header(conn, "content-security-policy") + assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/ + end + test "it does not send CSP headers when disabled", %{conn: conn} do clear_config([:http_security, :enabled], false)