Add media sources to connect-src if media proxy is enabled
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
This commit is contained in:
parent
50458a17dc
commit
ac0c00cdee
2 changed files with 14 additions and 8 deletions
|
@ -104,14 +104,12 @@ defp csp_string do
|
||||||
{[img_src, " https:"], [media_src, " https:"]}
|
{[img_src, " https:"], [media_src, " https:"]}
|
||||||
end
|
end
|
||||||
|
|
||||||
connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
|
connect_src = if Config.get([:media_proxy, :enabled]) do
|
||||||
|
sources = build_csp_multimedia_source_list()
|
||||||
connect_src =
|
["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
|
||||||
if Config.get(:env) == :dev do
|
else
|
||||||
[connect_src, " http://localhost:3035/"]
|
["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
|
||||||
else
|
end
|
||||||
connect_src
|
|
||||||
end
|
|
||||||
|
|
||||||
script_src =
|
script_src =
|
||||||
if Config.get(:env) == :dev do
|
if Config.get(:env) == :dev do
|
||||||
|
|
|
@ -100,12 +100,14 @@ test "media_proxy with base_url", %{conn: conn} do
|
||||||
url = "https://example.com"
|
url = "https://example.com"
|
||||||
clear_config([:media_proxy, :base_url], url)
|
clear_config([:media_proxy, :base_url], url)
|
||||||
assert_media_img_src(conn, url)
|
assert_media_img_src(conn, url)
|
||||||
|
assert_connect_src(conn, url)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "upload with base url", %{conn: conn} do
|
test "upload with base url", %{conn: conn} do
|
||||||
url = "https://example2.com"
|
url = "https://example2.com"
|
||||||
clear_config([Pleroma.Upload, :base_url], url)
|
clear_config([Pleroma.Upload, :base_url], url)
|
||||||
assert_media_img_src(conn, url)
|
assert_media_img_src(conn, url)
|
||||||
|
assert_connect_src(conn, url)
|
||||||
end
|
end
|
||||||
|
|
||||||
test "with S3 public endpoint", %{conn: conn} do
|
test "with S3 public endpoint", %{conn: conn} do
|
||||||
|
@ -138,6 +140,12 @@ defp assert_media_img_src(conn, url) do
|
||||||
assert csp =~ "img-src 'self' data: blob: #{url};"
|
assert csp =~ "img-src 'self' data: blob: #{url};"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
defp assert_connect_src(conn, url) do
|
||||||
|
conn = get(conn, "/api/v1/instance")
|
||||||
|
[csp] = Conn.get_resp_header(conn, "content-security-policy")
|
||||||
|
assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
|
||||||
|
end
|
||||||
|
|
||||||
test "it does not send CSP headers when disabled", %{conn: conn} do
|
test "it does not send CSP headers when disabled", %{conn: conn} do
|
||||||
clear_config([:http_security, :enabled], false)
|
clear_config([:http_security, :enabled], false)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue