mirror/ditto
mirror/ditto
1
0
Fork 0
mirror of https://gitlab.com/soapbox-pub/ditto.git synced 2025-12-06 11:29:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

csp: fix connect-src

Browse source
This commit is contained in:
Alex Gleason 2024-11-14 20:18:03 -06:00
parent 02ada73f48
commit 3d376ba8b3
No known key found for this signature in database
GPG key ID: 7211D1F99744FBB7
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/middleware/cspMiddleware.ts
View file

@ -19,12 +19,16 @@ export const cspMiddleware = (): AppMiddleware => {
const configDB = await configDBCache; const configDB = await configDBCache;
const sentryDsn = configDB.getIn(':pleroma', ':frontend_configurations', ':soapbox_fe', 'sentryDsn'); const sentryDsn = configDB.getIn(':pleroma', ':frontend_configurations', ':soapbox_fe', 'sentryDsn');
const connectSrc = ["'self'", 'blob:', origin, `${wsProtocol}//${host}`];
if (typeof sentryDsn === 'string') {
connectSrc.push(sentryDsn);
}
const policies = [ const policies = [
'upgrade-insecure-requests', 'upgrade-insecure-requests',
`script-src 'self'`, `script-src 'self'`,
`connect-src 'self' blob: ${origin} ${wsProtocol}//${host}` + typeof sentryDsn === 'string' `connect-src ${connectSrc.join(' ')}`,
? ` ${sentryDsn}`
: '',
`media-src 'self' https:`, `media-src 'self' https:`,
`img-src 'self' data: blob: https:`, `img-src 'self' data: blob: https:`,
`default-src 'none'`, `default-src 'none'`,