Commit graph

33 commits

Author SHA1 Message Date
Mark Felder af612bd006 Ensure all CSP parameters for remote hosts have a scheme 2020-07-05 10:11:43 -05:00
Mark Felder e9a28078ad Rename function and clarify that CSP is only strict with MediaProxy enabled 2020-07-03 17:18:22 -05:00
Mark Felder eaa59daa4c Add Captcha endpoint to CSP headers when MediaProxy is enabled.
Our CSP rules are lax when MediaProxy enabled, but lenient otherwise.

This fixes broken captcha on instances not using MediaProxy.
2020-07-03 17:06:20 -05:00
Mark Felder 7f7a1a4676 Check for media proxy base_url, not Upload base_url 2020-06-11 11:05:22 -05:00
rinpatch 99afc7f4e4 HTTP security plug: add media proxy base url host to csp 2020-06-10 20:09:16 +03:00
rinpatch d23b3701d8 Merge branch 'bugfix/csp-unproxied' into 'develop'
http_security_plug.ex: Fix non-proxied media

See merge request pleroma/pleroma!2610
2020-05-29 21:23:49 +00:00
rinpatch 109af93227 Apply suggestion to lib/pleroma/plugs/http_security_plug.ex 2020-05-29 21:15:07 +00:00
Alex Gleason d38f28870e
Add blob: to connect-src CSP 2020-05-29 11:08:17 -05:00
Haelwenn (lanodan) Monnier da1e31fae3
http_security_plug.ex: Fix non-proxied media 2020-05-29 17:20:09 +02:00
rinpatch 27180611df HTTP Security plug: make starting csp string generation more readable 2020-05-29 12:32:48 +03:00
rinpatch 29ff6d414b HTTP security plug: Harden img-src and media-src when MediaProxy is enabled 2020-05-27 21:41:19 +03:00
rinpatch 455a402c8a HTTP Security plug: rewrite &csp_string/0
- Directives are now separated with ";" instead of " ;",
according to https://www.w3.org/TR/CSP2/#policy-parsing
the space is optional
- Use an IO list, which at the end gets converted to a binary as
opposed to ++ing a bunch of arrays with binaries together and joining
them to a string. I doubt it gives any significant real world advantage,
but the code is cleaner and now I can sleep at night.
- The static part of csp is pre-joined to a single binary at compile time.
Same reasoning as the last point.
2020-05-27 21:31:47 +03:00
Alex Gleason 1bd9749a8f
Let blob: pass CSP 2020-04-26 00:29:42 -05:00
Haelwenn (lanodan) Monnier 6da6540036
Bump copyright years of files changed after 2020-01-07
Done via the following command:
git diff fcd5dd259a --stat --name-only | xargs sed -i '/Pleroma Authors/c# Copyright © 2017-2020 Pleroma Authors <https:\/\/pleroma.social\/>'
2020-03-02 06:08:45 +01:00
feld 36becd5573 Update http_security_plug.ex 2020-01-30 14:07:41 +00:00
Egor Kislitsyn e07e7888d7
Fix credo warning 2020-01-29 18:53:43 +04:00
Egor Kislitsyn 2bd4d6289b
Make the warning more scarier 2020-01-29 18:43:23 +04:00
Egor Kislitsyn 6302b40791
Warn if HTTPSecurityPlug is disabled 2020-01-28 19:14:09 +04:00
rinpatch 92213fb87c Replace Mix.env with Pleroma.Config.get(:env)
Mix.env/0 is not availible in release environments such as distillery or
elixir's built-in releases.
2019-06-06 23:59:51 +03:00
Alex S aa11fa4864 add report uri and report to 2019-05-16 12:49:40 +07:00
feld acb04306b6 Standardize construction of websocket URL
This follows up on the change made in d747bd98
2019-05-03 11:45:04 +00:00
Haelwenn (lanodan) Monnier fc37e5815f
Plugs.HTTPSecurityPlug: Add static_url to CSP's connect-src
Closes: https://git.pleroma.social/pleroma/pleroma/merge_requests/469
2019-03-05 01:44:24 +01:00
Haelwenn (lanodan) Monnier da4c662af3
Plugs.HTTPSecurityPlug: Add webpacker to connect-src 2019-02-12 22:12:12 +01:00
Haelwenn (lanodan) Monnier 00e8f0b07d
Plugs.HTTPSecurityPlug: Add unsafe-eval to script-src when in dev mode
This is needed to run dev mode mastofe at the same time
2019-02-12 22:12:11 +01:00
shibayashi ea1058929c
Use url[:scheme] instead of protocol to determine if https is enabled 2019-02-12 00:08:52 +01:00
William Pitcock 980b5288ed update copyright years to 2019 2018-12-31 15:41:47 +00:00
William Pitcock 2791ce9a1f add license boilerplate to pleroma core 2018-12-23 20:56:42 +00:00
Maksim Pechnikov 074fa790ba fix compile warnings 2018-12-09 20:50:08 +03:00
Haelwenn (lanodan) Monnier 04daa0fa44
Plugs.HTTPSecurityPlug: Activate upgrade-insecure-requests only when there is https
This fixes running mastofe with MIX_ENV=dev
2018-11-26 21:41:36 +01:00
shibayashi 591b11eafc
Add manifest-src to allow manifest.json 2018-11-26 20:48:24 +01:00
William Pitcock c07464607d http security: remove form-action from CSP definitions 2018-11-16 17:40:21 +00:00
William Pitcock ee5932a504 http security: allow referrer-policy to be configured 2018-11-12 15:14:46 +00:00
William Pitcock fe67665e19 rename CSPPlug to HTTPSecurityPlug. 2018-11-12 15:08:02 +00:00
Renamed from lib/pleroma/plugs/csp_plug.ex (Browse further)