From f26108dba149584f10648cb2fba4e86c0a6e57ff Mon Sep 17 00:00:00 2001
From: r3g_5z <june@terezi.dev>
Date: Sun, 20 Nov 2022 00:34:53 -0500
Subject: [PATCH] Set base-uri to none

pleroma-fe doesn't use this and it seems too niche to have any use-case

Signed-off-by: r3g_5z <june@terezi.dev>
---
 docs/docs/configuration/hardening.md        | 2 +-
 docs/docs/installation/openbsd_en.md        | 2 +-
 lib/pleroma/web/plugs/http_security_plug.ex | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/docs/configuration/hardening.md b/docs/docs/configuration/hardening.md
index 1e4179686..c5a9e160b 100644
--- a/docs/docs/configuration/hardening.md
+++ b/docs/docs/configuration/hardening.md
@@ -33,7 +33,7 @@ A content security policy (CSP) will also be set:
 ```csp
 content-security-policy:
   default-src 'none';
-  base-uri 'self';
+  base-uri 'none';
   frame-ancestors 'none';
   img-src 'self' data: blob: https:;
   media-src 'self' https:;
diff --git a/docs/docs/installation/openbsd_en.md b/docs/docs/installation/openbsd_en.md
index a62421ee4..9693467f2 100644
--- a/docs/docs/installation/openbsd_en.md
+++ b/docs/docs/installation/openbsd_en.md
@@ -165,7 +165,7 @@ http protocol plerup { # Protocol for upstream akkoma server
 	match response header append "X-Frame-Options" value "DENY"
 	match response header append "X-Content-Type-Options" value "nosniff"
 	match response header append "Referrer-Policy" value "same-origin"
-	match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'self'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
+	match response header append "Content-Security-Policy" value "default-src 'none'; base-uri 'none'; form-action 'self'; img-src 'self' data: https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; script-src 'self'; connect-src 'self' wss://CHANGEME.tld; upgrade-insecure-requests;" # Modify "CHANGEME.tld" and set your instance's domain here
 	match request header append "Connection" value "upgrade"
 	#match response header append "Strict-Transport-Security" value "max-age=63072000; includeSubDomains; preload" # Uncomment this only after you get HTTPS working.
 
diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index 9e76ebd84..47874a980 100644
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -75,7 +75,7 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do
 
   static_csp_rules = [
     "default-src 'none'",
-    "base-uri 'self'",
+    "base-uri 'none'",
     "frame-ancestors 'none'",
     "style-src 'self' 'unsafe-inline'",
     "font-src 'self'",