Merge branch 'bugfix/csp-no-https' into 'develop'

Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https

See merge request pleroma/pleroma!475
This commit is contained in:
kaniini 2018-11-26 22:24:21 +00:00
commit bdb0c6e418

View File

@ -29,6 +29,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
end end
defp csp_string do defp csp_string do
protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
[ [
"default-src 'none'", "default-src 'none'",
"base-uri 'self'", "base-uri 'self'",
@ -40,7 +42,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
"script-src 'self'", "script-src 'self'",
"connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"), "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
"manifest-src 'self'", "manifest-src 'self'",
if @protocol == "https" do
"upgrade-insecure-requests" "upgrade-insecure-requests"
end
] ]
|> Enum.join("; ") |> Enum.join("; ")
end end