Merge branch 'csp-flash' into 'develop'

allow https: so that flash works across instances without need for media proxy See merge request pleroma/pleroma!3879
2023-08-16 13:37:49 +00:00 · 2023-08-16 13:37:49 +00:00 · 1e685c8302
parent b729a8b140 d838d1990b
commit 1e685c8302
2 changed files with 13 additions and 4 deletions
--- a/changelog.d/3879.fix
+++ b/changelog.d/3879.fix
@ -0,0 +1 @@
+fix not being able to fetch flash file from remote instance
--- a/lib/pleroma/web/plugs/http_security_plug.ex
+++ b/lib/pleroma/web/plugs/http_security_plug.ex
@ -93,18 +93,26 @@ defmodule Pleroma.Web.Plugs.HTTPSecurityPlug do

    img_src = "img-src 'self' data: blob:"
    media_src = "media-src 'self'"
+    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]

    # Strict multimedia CSP enforcement only when MediaProxy is enabled
-    {img_src, media_src} =
+    {img_src, media_src, connect_src} =
      if Config.get([:media_proxy, :enabled]) &&
           !Config.get([:media_proxy, :proxy_opts, :redirect_on_failure]) do
        sources = build_csp_multimedia_source_list()
-        {[img_src, sources], [media_src, sources]}
+        {
+          [img_src, sources],
+          [media_src, sources],
+          [connect_src, sources]
+        }
      else
-        {[img_src, " https:"], [media_src, " https:"]}
+        {
+          [img_src, " https:"],
+          [media_src, " https:"],
+          [connect_src, " https:"]
+        }
      end

-    connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url]

    connect_src =
      if Config.get(:env) == :dev do
				`@ -0,0 +1 @@`
				`fix not being able to fetch flash file from remote instance`