Merge branch 'bugfix/csp-no-https' into 'develop'

Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https See merge request pleroma/pleroma!475
author: kaniini <nenolod@gmail.com> 2018-11-26 22:24:21 +0000
committer: kaniini <nenolod@gmail.com> 2018-11-26 22:24:21 +0000
commit: bdb0c6e418b89b841496737c22ecef65cbe6150d (patch)
tree: 98c121f32aa41b75f4356f86d4ac14c6b22f6983
parent: 3370924b8ba87354249182694cfa3b598a66e6de (diff)
parent: 04daa0fa4473075c873aa733e4e2876c557b0444 (diff)
download: pleroma-bdb0c6e418b89b841496737c22ecef65cbe6150d.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex
index 84d6506e3..4c32653ea 100644
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@@ -29,6 +29,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
   end
 
   defp csp_string do
+    protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
+
     [
       "default-src 'none'",
       "base-uri 'self'",
@@ -40,7 +42,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
       "script-src 'self'",
       "connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
       "manifest-src 'self'",
-      "upgrade-insecure-requests"
+      if @protocol == "https" do
+        "upgrade-insecure-requests"
+      end
     ]
     |> Enum.join("; ")
   end
author	kaniini <nenolod@gmail.com>	2018-11-26 22:24:21 +0000
committer	kaniini <nenolod@gmail.com>	2018-11-26 22:24:21 +0000
commit	bdb0c6e418b89b841496737c22ecef65cbe6150d (patch)
tree	98c121f32aa41b75f4356f86d4ac14c6b22f6983
parent	3370924b8ba87354249182694cfa3b598a66e6de (diff)
parent	04daa0fa4473075c873aa733e4e2876c557b0444 (diff)
download	pleroma-bdb0c6e418b89b841496737c22ecef65cbe6150d.tar.gz