Mark Felder
7f7a1a4676
Check for media proxy base_url, not Upload base_url
2020-06-11 11:05:22 -05:00
rinpatch
99afc7f4e4
HTTP security plug: add media proxy base url host to csp
2020-06-10 20:09:16 +03:00
rinpatch
d23b3701d8
Merge branch 'bugfix/csp-unproxied' into 'develop'
...
http_security_plug.ex: Fix non-proxied media
See merge request pleroma/pleroma!2610
2020-05-29 21:23:49 +00:00
rinpatch
109af93227
Apply suggestion to lib/pleroma/plugs/http_security_plug.ex
2020-05-29 21:15:07 +00:00
Alex Gleason
d38f28870e
Add blob: to connect-src CSP
2020-05-29 11:08:17 -05:00
Haelwenn (lanodan) Monnier
da1e31fae3
http_security_plug.ex: Fix non-proxied media
2020-05-29 17:20:09 +02:00
rinpatch
27180611df
HTTP Security plug: make starting csp string generation more readable
2020-05-29 12:32:48 +03:00
rinpatch
29ff6d414b
HTTP security plug: Harden img-src and media-src when MediaProxy is enabled
2020-05-27 21:41:19 +03:00
rinpatch
455a402c8a
HTTP Security plug: rewrite &csp_string/0
...
- Directives are now separated with ";" instead of " ;",
according to https://www.w3.org/TR/CSP2/#policy-parsing
the space is optional
- Use an IO list, which at the end gets converted to a binary as
opposed to ++ing a bunch of arrays with binaries together and joining
them to a string. I doubt it gives any significant real world advantage,
but the code is cleaner and now I can sleep at night.
- The static part of csp is pre-joined to a single binary at compile time.
Same reasoning as the last point.
2020-05-27 21:31:47 +03:00
Alex Gleason
1bd9749a8f
Let blob: pass CSP
2020-04-26 00:29:42 -05:00
Haelwenn (lanodan) Monnier
6da6540036
Bump copyright years of files changed after 2020-01-07
...
Done via the following command:
git diff fcd5dd259a
2020-03-02 06:08:45 +01:00
feld
36becd5573
Update http_security_plug.ex
2020-01-30 14:07:41 +00:00
Egor Kislitsyn
e07e7888d7
Fix credo warning
2020-01-29 18:53:43 +04:00
Egor Kislitsyn
2bd4d6289b
Make the warning more scarier
2020-01-29 18:43:23 +04:00
Egor Kislitsyn
6302b40791
Warn if HTTPSecurityPlug is disabled
2020-01-28 19:14:09 +04:00
rinpatch
92213fb87c
Replace Mix.env with Pleroma.Config.get(:env)
...
Mix.env/0 is not availible in release environments such as distillery or
elixir's built-in releases.
2019-06-06 23:59:51 +03:00
Alex S
aa11fa4864
add report uri and report to
2019-05-16 12:49:40 +07:00
feld
acb04306b6
Standardize construction of websocket URL
...
This follows up on the change made in d747bd98
2019-05-03 11:45:04 +00:00
Haelwenn (lanodan) Monnier
fc37e5815f
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src
...
Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469
2019-03-05 01:44:24 +01:00
Haelwenn (lanodan) Monnier
da4c662af3
Plugs.HTTPSecurityPlug: Add webpacker to connect-src
2019-02-12 22:12:12 +01:00
Haelwenn (lanodan) Monnier
00e8f0b07d
Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode
...
This is needed to run dev mode mastofe at the same time
2019-02-12 22:12:11 +01:00
shibayashi
ea1058929c
Use url[:scheme] instead of protocol to determine if https is enabled
2019-02-12 00:08:52 +01:00
William Pitcock
980b5288ed
update copyright years to 2019
2018-12-31 15:41:47 +00:00
William Pitcock
2791ce9a1f
add license boilerplate to pleroma core
2018-12-23 20:56:42 +00:00
Maksim Pechnikov
074fa790ba
fix compile warnings
2018-12-09 20:50:08 +03:00
Haelwenn (lanodan) Monnier
04daa0fa44
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
...
This fixes running mastofe with MIX_ENV=dev
2018-11-26 21:41:36 +01:00
shibayashi
591b11eafc
Add manifest-src to allow manifest.json
2018-11-26 20:48:24 +01:00
William Pitcock
c07464607d
http security: remove form-action from CSP definitions
2018-11-16 17:40:21 +00:00
William Pitcock
ee5932a504
http security: allow referrer-policy to be configured
2018-11-12 15:14:46 +00:00
William Pitcock
fe67665e19
rename CSPPlug to HTTPSecurityPlug.
2018-11-12 15:08:02 +00:00
