Merge branch 'develop' into stable

CHANGELOG.md

@@ -18,6 +18,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Support for `streams` public key URIs
 - Bookmarks are cleaned up on DB prune now
 
+## Security
+- Fixed mediaproxy being a bit of a silly billy
+
 ## 2023.04
 
 ## Added

lib/pleroma/reverse_proxy.ex

@@ -251,6 +251,7 @@ defmodule Pleroma.ReverseProxy do
     |> Enum.filter(fn {k, _} -> k in @keep_resp_headers end)
     |> build_resp_cache_headers(opts)
     |> build_resp_content_disposition_header(opts)
+    |> build_csp_headers()
     |> Keyword.merge(Keyword.get(opts, :resp_headers, []))
   end
 
@@ -316,6 +317,10 @@ defmodule Pleroma.ReverseProxy do
     end
   end
 
+  defp build_csp_headers(headers) do
+    List.keystore(headers, "content-security-policy", 0, {"content-security-policy", "sandbox"})
+  end
+
   defp header_length_constraint(headers, limit) when is_integer(limit) and limit > 0 do
     with {_, size} <- List.keyfind(headers, "content-length", 0),
          {size, _} <- Integer.parse(size),

lib/pleroma/web/plugs/uploaded_media.ex

@@ -42,7 +42,7 @@ defmodule Pleroma.Web.Plugs.UploadedMedia do
         conn ->
           conn
       end
-      |> merge_resp_headers([{"content-security-policy", "sandbox"}])
+      |> merge_resp_headers([{"content-security-policy", "script-src none"}])
 
     config = Pleroma.Config.get(Pleroma.Upload)
 

mix.exs

@@ -4,7 +4,7 @@ defmodule Pleroma.Mixfile do
   def project do
     [
       app: :pleroma,
-      version: version("3.9.0"),
+      version: version("3.9.1"),
       elixir: "~> 1.14",
       elixirc_paths: elixirc_paths(Mix.env()),
       compilers: [:phoenix] ++ Mix.compilers(),