Commit graph

33 commits

Author SHA1 Message Date
Mark Felder
af612bd006 Ensure all CSP parameters for remote hosts have a scheme 2020-07-05 10:11:43 -05:00
Mark Felder
e9a28078ad Rename function and clarify that CSP is only strict with MediaProxy enabled 2020-07-03 17:18:22 -05:00
Mark Felder
eaa59daa4c Add Captcha endpoint to CSP headers when MediaProxy is enabled.
Our CSP rules are lax when MediaProxy enabled, but lenient otherwise.

This fixes broken captcha on instances not using MediaProxy.
2020-07-03 17:06:20 -05:00
Mark Felder
7f7a1a4676 Check for media proxy base_url, not Upload base_url 2020-06-11 11:05:22 -05:00
rinpatch
99afc7f4e4 HTTP security plug: add media proxy base url host to csp 2020-06-10 20:09:16 +03:00
rinpatch
d23b3701d8 Merge branch 'bugfix/csp-unproxied' into 'develop'
http_security_plug.ex: Fix non-proxied media

See merge request pleroma/pleroma!2610
2020-05-29 21:23:49 +00:00
rinpatch
109af93227 Apply suggestion to lib/pleroma/plugs/http_security_plug.ex 2020-05-29 21:15:07 +00:00
Alex Gleason
d38f28870e
Add blob: to connect-src CSP 2020-05-29 11:08:17 -05:00
Haelwenn (lanodan) Monnier
da1e31fae3
http_security_plug.ex: Fix non-proxied media 2020-05-29 17:20:09 +02:00
rinpatch
27180611df HTTP Security plug: make starting csp string generation more readable 2020-05-29 12:32:48 +03:00
rinpatch
29ff6d414b HTTP security plug: Harden img-src and media-src when MediaProxy is enabled 2020-05-27 21:41:19 +03:00
rinpatch
455a402c8a HTTP Security plug: rewrite &csp_string/0
- Directives are now separated with ";" instead of " ;",
according to https://www.w3.org/TR/CSP2/#policy-parsing
the space is optional
- Use an IO list, which at the end gets converted to a binary as
opposed to ++ing a bunch of arrays with binaries together and joining
them to a string. I doubt it gives any significant real world advantage,
but the code is cleaner and now I can sleep at night.
- The static part of csp is pre-joined to a single binary at compile time.
Same reasoning as the last point.
2020-05-27 21:31:47 +03:00
Alex Gleason
1bd9749a8f
Let blob: pass CSP 2020-04-26 00:29:42 -05:00
Haelwenn (lanodan) Monnier
6da6540036
Bump copyright years of files changed after 2020-01-07
Done via the following command:
git diff fcd5dd259a --stat --name-only | xargs sed -i '/Pleroma Authors/c# Copyright © 2017-2020 Pleroma Authors <https:\/\/pleroma.social\/>'
2020-03-02 06:08:45 +01:00
36becd5573 Update http_security_plug.ex 2020-01-30 14:07:41 +00:00
Egor Kislitsyn
e07e7888d7
Fix credo warning 2020-01-29 18:53:43 +04:00
Egor Kislitsyn
2bd4d6289b
Make the warning more scarier 2020-01-29 18:43:23 +04:00
Egor Kislitsyn
6302b40791
Warn if HTTPSecurityPlug is disabled 2020-01-28 19:14:09 +04:00
rinpatch
92213fb87c Replace Mix.env with Pleroma.Config.get(:env)
Mix.env/0 is not availible in release environments such as distillery or
elixir's built-in releases.
2019-06-06 23:59:51 +03:00
Alex S
aa11fa4864 add report uri and report to 2019-05-16 12:49:40 +07:00
acb04306b6 Standardize construction of websocket URL
This follows up on the change made in d747bd98
2019-05-03 11:45:04 +00:00
Haelwenn (lanodan) Monnier
fc37e5815f
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src
Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469
2019-03-05 01:44:24 +01:00
Haelwenn (lanodan) Monnier
da4c662af3
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-12 22:12:12 +01:00
Haelwenn (lanodan) Monnier
00e8f0b07d
Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode
This is needed to run dev mode mastofe at the same time
2019-02-12 22:12:11 +01:00
shibayashi
ea1058929c
Use url[:scheme] instead of protocol to determine if https is enabled 2019-02-12 00:08:52 +01:00
William Pitcock
980b5288ed update copyright years to 2019 2018-12-31 15:41:47 +00:00
William Pitcock
2791ce9a1f add license boilerplate to pleroma core 2018-12-23 20:56:42 +00:00
Maksim Pechnikov
074fa790ba fix compile warnings 2018-12-09 20:50:08 +03:00
Haelwenn (lanodan) Monnier
04daa0fa44
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
This fixes running mastofe with MIX_ENV=dev
2018-11-26 21:41:36 +01:00
shibayashi
591b11eafc
Add manifest-src to allow manifest.json 2018-11-26 20:48:24 +01:00
William Pitcock
c07464607d http security: remove form-action from CSP definitions 2018-11-16 17:40:21 +00:00
William Pitcock
ee5932a504 http security: allow referrer-policy to be configured 2018-11-12 15:14:46 +00:00
William Pitcock
fe67665e19 rename CSPPlug to HTTPSecurityPlug. 2018-11-12 15:08:02 +00:00
Renamed from lib/pleroma/plugs/csp_plug.ex (Browse further)