rinpatch
d23b3701d8
Merge branch 'bugfix/csp-unproxied' into 'develop'
...
http_security_plug.ex: Fix non-proxied media
See merge request pleroma/pleroma!2610
4 years ago
rinpatch
109af93227
Apply suggestion to lib/pleroma/plugs/http_security_plug.ex
4 years ago
Alex Gleason
d38f28870e
Add blob: to connect-src CSP
4 years ago
Haelwenn (lanodan) Monnier
da1e31fae3
http_security_plug.ex: Fix non-proxied media
4 years ago
rinpatch
27180611df
HTTP Security plug: make starting csp string generation more readable
4 years ago
rinpatch
29ff6d414b
HTTP security plug: Harden img-src and media-src when MediaProxy is enabled
4 years ago
rinpatch
455a402c8a
HTTP Security plug: rewrite &csp_string/0
...
- Directives are now separated with ";" instead of " ;",
according to https://www.w3.org/TR/CSP2/#policy-parsing
the space is optional
- Use an IO list, which at the end gets converted to a binary as
opposed to ++ing a bunch of arrays with binaries together and joining
them to a string. I doubt it gives any significant real world advantage,
but the code is cleaner and now I can sleep at night.
- The static part of csp is pre-joined to a single binary at compile time.
Same reasoning as the last point.
4 years ago
Alex Gleason
1bd9749a8f
Let blob: pass CSP
4 years ago
Haelwenn (lanodan) Monnier
6da6540036
Bump copyright years of files changed after 2020-01-07
...
Done via the following command:
git diff fcd5dd259a
--stat --name-only | xargs sed -i '/Pleroma Authors/c# Copyright © 2017-2020 Pleroma Authors <https:\/\/pleroma.social\/>'
5 years ago
feld
36becd5573
Update http_security_plug.ex
5 years ago
Egor Kislitsyn
e07e7888d7
Fix credo warning
5 years ago
Egor Kislitsyn
2bd4d6289b
Make the warning more scarier
5 years ago
Egor Kislitsyn
6302b40791
Warn if HTTPSecurityPlug is disabled
5 years ago
rinpatch
92213fb87c
Replace Mix.env with Pleroma.Config.get(:env)
...
Mix.env/0 is not availible in release environments such as distillery or
elixir's built-in releases.
5 years ago
Alex S
aa11fa4864
add report uri and report to
5 years ago
feld
acb04306b6
Standardize construction of websocket URL
...
This follows up on the change made in d747bd98
5 years ago
Haelwenn (lanodan) Monnier
fc37e5815f
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src
...
Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469
6 years ago
Haelwenn (lanodan) Monnier
da4c662af3
Plugs.HTTPSecurityPlug: Add webpacker to connect-src
6 years ago
Haelwenn (lanodan) Monnier
00e8f0b07d
Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode
...
This is needed to run dev mode mastofe at the same time
6 years ago
shibayashi
ea1058929c
Use url[:scheme] instead of protocol to determine if https is enabled
6 years ago
William Pitcock
980b5288ed
update copyright years to 2019
6 years ago
William Pitcock
2791ce9a1f
add license boilerplate to pleroma core
6 years ago
Maksim Pechnikov
074fa790ba
fix compile warnings
6 years ago
Haelwenn (lanodan) Monnier
04daa0fa44
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
...
This fixes running mastofe with MIX_ENV=dev
6 years ago
shibayashi
591b11eafc
Add manifest-src to allow manifest.json
6 years ago
William Pitcock
c07464607d
http security: remove form-action from CSP definitions
6 years ago
William Pitcock
ee5932a504
http security: allow referrer-policy to be configured
6 years ago
William Pitcock
fe67665e19
rename CSPPlug to HTTPSecurityPlug.
6 years ago