From 3d376ba8b3e747c7590502f9110492657f2d5401 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Thu, 14 Nov 2024 20:18:03 -0600
Subject: [PATCH] csp: fix connect-src

---
 src/middleware/cspMiddleware.ts | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/middleware/cspMiddleware.ts b/src/middleware/cspMiddleware.ts
index 2701e214..ed102f7a 100644
--- a/src/middleware/cspMiddleware.ts
+++ b/src/middleware/cspMiddleware.ts
@@ -19,12 +19,16 @@ export const cspMiddleware = (): AppMiddleware => {
     const configDB = await configDBCache;
     const sentryDsn = configDB.getIn(':pleroma', ':frontend_configurations', ':soapbox_fe', 'sentryDsn');
 
+    const connectSrc = ["'self'", 'blob:', origin, `${wsProtocol}//${host}`];
+
+    if (typeof sentryDsn === 'string') {
+      connectSrc.push(sentryDsn);
+    }
+
     const policies = [
       'upgrade-insecure-requests',
       `script-src 'self'`,
-      `connect-src 'self' blob: ${origin} ${wsProtocol}//${host}` + typeof sentryDsn === 'string'
-        ? ` ${sentryDsn}`
-        : '',
+      `connect-src ${connectSrc.join(' ')}`,
       `media-src 'self' https:`,
       `img-src 'self' data: blob: https:`,
       `default-src 'none'`,