Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https

This fixes running mastofe with MIX_ENV=dev
2018-11-26 21:40:29 +01:00 · 2018-11-26 21:40:29 +01:00 · 04daa0fa44
parent 3370924b8b
commit 04daa0fa44
1 changed files with 5 additions and 1 deletions
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@ -29,6 +29,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
  end

  defp csp_string do
+    protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
+
    [
      "default-src 'none'",
      "base-uri 'self'",
@ -40,7 +42,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
      "script-src 'self'",
      "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
      "manifest-src 'self'",
-      "upgrade-insecure-requests"
+      if @protocol == "https" do
+        "upgrade-insecure-requests"
+      end
    ]
    |> Enum.join("; ")
  end