Merge branch 'bugfix/csp-no-https' into 'develop'
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https See merge request pleroma/pleroma!475
This commit is contained in:
commit
bdb0c6e418
|
@ -29,6 +29,8 @@ defp headers do
|
|||
end
|
||||
|
||||
defp csp_string do
|
||||
protocol = Config.get([Pleroma.Web.Endpoint, :protocol])
|
||||
|
||||
[
|
||||
"default-src 'none'",
|
||||
"base-uri 'self'",
|
||||
|
@ -40,7 +42,9 @@ defp csp_string do
|
|||
"script-src 'self'",
|
||||
"connect-src 'self' " <> String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
|
||||
"manifest-src 'self'",
|
||||
"upgrade-insecure-requests"
|
||||
if @protocol == "https" do
|
||||
"upgrade-insecure-requests"
|
||||
end
|
||||
]
|
||||
|> Enum.join("; ")
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue