diff options
| author | Alex Gleason <alex@alexgleason.me> | 2020-05-29 10:33:31 -0500 |
|---|---|---|
| committer | Alex Gleason <alex@alexgleason.me> | 2020-05-29 11:08:17 -0500 |
| commit | d38f28870e7ba1c8c1b315d52e68a83fb1a68b6d (patch) | |
| tree | 4e7ff8eee100a4732a3eaa07bd57d45c74ab5551 | |
| parent | 984897810956c723a48f49bf8e097471527ebd38 (diff) | |
| download | pleroma-d38f28870e7ba1c8c1b315d52e68a83fb1a68b6d.tar.gz | |
Add blob: to connect-src CSP
| -rw-r--r-- | CHANGELOG.md | 1 | ||||
| -rw-r--r-- | lib/pleroma/plugs/http_security_plug.ex | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index dabc2a85a..839bf90ab 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,6 +44,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). - Fix follower/blocks import when nicknames starts with @ - Filtering of push notifications on activities from blocked domains - Resolving Peertube accounts with Webfinger +- `blob:` urls not being allowed by connect-src CSP ## [Unreleased (patch)] diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex index 2208d1d6c..41e3a31f4 100644 --- a/lib/pleroma/plugs/http_security_plug.ex +++ b/lib/pleroma/plugs/http_security_plug.ex @@ -78,7 +78,7 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do {img_src, media_src} end - connect_src = ["connect-src 'self' ", static_url, ?\s, websocket_url] + connect_src = ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] connect_src = if Pleroma.Config.get(:env) == :dev do |