From ac0c00cdee239e6bc37c0df2bfdb9f0ec1d24606 Mon Sep 17 00:00:00 2001
From: FloatingGhost <hannah@coffee-and-dreams.uk>
Date: Thu, 10 Nov 2022 17:26:51 +0000
Subject: [PATCH] Add media sources to connect-src if media proxy is enabled

---
 lib/pleroma/web/plugs/http_security_plug.ex        | 14 ++++++--------
 test/pleroma/web/plugs/http_security_plug_test.exs |  8 ++++++++
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/lib/pleroma/web/plugs/http_security_plug.ex b/lib/pleroma/web/plugs/http_security_plug.ex
index 3e8e931d1..43b075447 100644
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@@ -104,14 +104,12 @@ defp csp_string do
         {[img_src, " https:"], [media_src, " https:"]}
       end
 
-    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
-
-    connect_src =
-      if Config.get(:env) == :dev do
-        [connect_src, " http://localhost:3035/"]
-      else
-        connect_src
-      end
+    connect_src = if Config.get([:media_proxy, :enabled]) do
+      sources = build_csp_multimedia_source_list()
+      ["connect-src 'self' blob: ", static_url, ?\s, websocket_url, ?\s, sources]
+    else
+      ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]
+    end
 
     script_src =
       if Config.get(:env) == :dev do
diff --git a/test/pleroma/web/plugs/http_security_plug_test.exs b/test/pleroma/web/plugs/http_security_plug_test.exs
index eb94cd665..7f85f4a11 100644
--- a/test/pleroma/web/plugs/http_security_plug_test.exs
+++ b/test/pleroma/web/plugs/http_security_plug_test.exs
@@ -100,12 +100,14 @@ test "media_proxy with base_url", %{conn: conn} do
       url = "https://example.com"
       clear_config([:media_proxy, :base_url], url)
       assert_media_img_src(conn, url)
+      assert_connect_src(conn, url)
     end
 
     test "upload with base url", %{conn: conn} do
       url = "https://example2.com"
       clear_config([Pleroma.Upload, :base_url], url)
       assert_media_img_src(conn, url)
+      assert_connect_src(conn, url)
     end
 
     test "with S3 public endpoint", %{conn: conn} do
@@ -138,6 +140,12 @@ defp assert_media_img_src(conn, url) do
     assert csp =~ "img-src 'self' data: blob: #{url};"
   end
 
+  defp assert_connect_src(conn, url) do
+    conn = get(conn, "/api/v1/instance")
+    [csp] = Conn.get_resp_header(conn, "content-security-policy")
+    assert csp =~ ~r/connect-src 'self' blob: [^;]+ #{url}/
+  end
+
   test "it does not send CSP headers when disabled", %{conn: conn} do
     clear_config([:http_security, :enabled], false)