Commit bdb0c6e4 authored by kaniini's avatar kaniini
Browse files

Merge branch 'bugfix/csp-no-https' into 'develop'

Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https

See merge request !475
parents 3370924b 04daa0fa
Pipeline #4717 passed with stages
in 7 minutes and 21 seconds
......@@ -29,6 +29,8 @@ defp headers do
end
defp csp_string do
protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
[
"default-src 'none'",
"base-uri 'self'",
......@@ -40,7 +42,9 @@ defp csp_string do
"script-src 'self'",
"connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
"manifest-src 'self'",
"upgrade-insecure-requests"
if @protocol == "https" do
"upgrade-insecure-requests"
end
]
|> Enum.join("; ")
end
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment