Merge branch 'bugfix/csp-no-https' into 'develop'

Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https See merge request pleroma/pleroma!475
2018-11-26 22:24:21 +00:00 · 2018-11-26 22:24:21 +00:00 · bdb0c6e418
parent 3370924b8b 04daa0fa44
commit bdb0c6e418
1 changed files with 5 additions and 1 deletions
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@ -29,6 +29,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
  end

  defp csp_string do
+    protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
+
    [
      "default-src 'none'",
      "base-uri 'self'",
@ -40,7 +42,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
      "script-src 'self'",
      "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
      "manifest-src 'self'",
-      "upgrade-insecure-requests"
+      if @protocol == "https" do
+        "upgrade-insecure-requests"
+      end
    ]
    |> Enum.join("; ")
  end