Mark Felder
e9a28078ad
Rename function and clarify that CSP is only strict with MediaProxy enabled
2020-07-03 17:18:22 -05:00
Mark Felder
eaa59daa4c
Add Captcha endpoint to CSP headers when MediaProxy is enabled.
...
Our CSP rules are lax when MediaProxy enabled, but lenient otherwise.
This fixes broken captcha on instances not using MediaProxy.
2020-07-03 17:06:20 -05:00
Mark Felder
7f7a1a4676
Check for media proxy base_url, not Upload base_url
2020-06-11 11:05:22 -05:00
rinpatch
99afc7f4e4
HTTP security plug: add media proxy base url host to csp
2020-06-10 20:09:16 +03:00
rinpatch
d23b3701d8
Merge branch 'bugfix/csp-unproxied' into 'develop'
...
http_security_plug.ex: Fix non-proxied media
See merge request pleroma/pleroma!2610
2020-05-29 21:23:49 +00:00
rinpatch
109af93227
Apply suggestion to lib/pleroma/plugs/http_security_plug.ex
2020-05-29 21:15:07 +00:00
Alex Gleason
d38f28870e
Add blob: to connect-src CSP
2020-05-29 11:08:17 -05:00
Haelwenn (lanodan) Monnier
da1e31fae3
http_security_plug.ex: Fix non-proxied media
2020-05-29 17:20:09 +02:00
rinpatch
27180611df
HTTP Security plug: make starting csp string generation more readable
2020-05-29 12:32:48 +03:00
rinpatch
29ff6d414b
HTTP security plug: Harden img-src and media-src when MediaProxy is enabled
2020-05-27 21:41:19 +03:00
rinpatch
455a402c8a
HTTP Security plug: rewrite &csp_string/0
...
- Directives are now separated with ";" instead of " ;",
according to https://www.w3.org/TR/CSP2/#policy-parsing
the space is optional
- Use an IO list, which at the end gets converted to a binary as
opposed to ++ing a bunch of arrays with binaries together and joining
them to a string. I doubt it gives any significant real world advantage,
but the code is cleaner and now I can sleep at night.
- The static part of csp is pre-joined to a single binary at compile time.
Same reasoning as the last point.
2020-05-27 21:31:47 +03:00
Alex Gleason
1bd9749a8f
Let blob: pass CSP
2020-04-26 00:29:42 -05:00
Haelwenn (lanodan) Monnier
6da6540036
Bump copyright years of files changed after 2020-01-07
...
Done via the following command:
git diff fcd5dd259a
--stat --name-only | xargs sed -i '/Pleroma Authors/c# Copyright © 2017-2020 Pleroma Authors <https:\/\/pleroma.social\/>'
2020-03-02 06:08:45 +01:00
36becd5573
Update http_security_plug.ex
2020-01-30 14:07:41 +00:00
Egor Kislitsyn
e07e7888d7
Fix credo warning
2020-01-29 18:53:43 +04:00
Egor Kislitsyn
2bd4d6289b
Make the warning more scarier
2020-01-29 18:43:23 +04:00
Egor Kislitsyn
6302b40791
Warn if HTTPSecurityPlug is disabled
2020-01-28 19:14:09 +04:00
rinpatch
92213fb87c
Replace Mix.env with Pleroma.Config.get(:env)
...
Mix.env/0 is not availible in release environments such as distillery or
elixir's built-in releases.
2019-06-06 23:59:51 +03:00
Alex S
aa11fa4864
add report uri and report to
2019-05-16 12:49:40 +07:00
acb04306b6
Standardize construction of websocket URL
...
This follows up on the change made in d747bd98
2019-05-03 11:45:04 +00:00
Haelwenn (lanodan) Monnier
fc37e5815f
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src
...
Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469
2019-03-05 01:44:24 +01:00
Haelwenn (lanodan) Monnier
da4c662af3
Plugs.HTTPSecurityPlug: Add webpacker to connect-src
2019-02-12 22:12:12 +01:00
Haelwenn (lanodan) Monnier
00e8f0b07d
Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode
...
This is needed to run dev mode mastofe at the same time
2019-02-12 22:12:11 +01:00
shibayashi
ea1058929c
Use url[:scheme] instead of protocol to determine if https is enabled
2019-02-12 00:08:52 +01:00
William Pitcock
980b5288ed
update copyright years to 2019
2018-12-31 15:41:47 +00:00
William Pitcock
2791ce9a1f
add license boilerplate to pleroma core
2018-12-23 20:56:42 +00:00
Maksim Pechnikov
074fa790ba
fix compile warnings
2018-12-09 20:50:08 +03:00
Haelwenn (lanodan) Monnier
04daa0fa44
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
...
This fixes running mastofe with MIX_ENV=dev
2018-11-26 21:41:36 +01:00
shibayashi
591b11eafc
Add manifest-src to allow manifest.json
2018-11-26 20:48:24 +01:00
William Pitcock
c07464607d
http security: remove form-action from CSP definitions
2018-11-16 17:40:21 +00:00
William Pitcock
ee5932a504
http security: allow referrer-policy to be configured
2018-11-12 15:14:46 +00:00
William Pitcock
fe67665e19
rename CSPPlug to HTTPSecurityPlug.
2018-11-12 15:08:02 +00:00