Skip to content

Added https: to connect-src

Code Monkey requested to merge cod3monk3y/pleroma:develop into develop

I was noticing some strange behavior on a few friends devices. Luckily I was able to reproduce the bug on my GF's version of Chrome. Strangely not on my version of Chrome (latest stable for Linux).

When using the pleroma-fe there was an issue on login where it was blocking requests to pleroma's api routes, because it was in violation of the content security policy for connect-src.

This change whitelists any https requests coming from the page. After some research I've concluded this doesn't open up any vulnerabilities.

Merge request reports