aljaz/ditto
1
0
Fork 0
mirror of https://github.com/aljazceru/ditto.git synced 2025-12-17 05:24:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

csp: fix connect-src

Browse Source
This commit is contained in:
Alex Gleason
2024-11-14 20:18:03 -06:00
parent 02ada73f48
commit 3d376ba8b3
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/middleware/cspMiddleware.ts
View File

@@ -19,12 +19,16 @@ export const cspMiddleware = (): AppMiddleware => {
const configDB = await configDBCache; const configDB = await configDBCache;
const sentryDsn = configDB.getIn(':pleroma', ':frontend_configurations', ':soapbox_fe', 'sentryDsn'); const sentryDsn = configDB.getIn(':pleroma', ':frontend_configurations', ':soapbox_fe', 'sentryDsn');
const connectSrc = ["'self'", 'blob:', origin, `${wsProtocol}//${host}`];
if (typeof sentryDsn === 'string') {
connectSrc.push(sentryDsn);
}
const policies = [ const policies = [
'upgrade-insecure-requests', 'upgrade-insecure-requests',
`script-src 'self'`, `script-src 'self'`,
`connect-src 'self' blob: ${origin} ${wsProtocol}//${host}` + typeof sentryDsn === 'string' `connect-src ${connectSrc.join(' ')}`,
? ` ${sentryDsn}`
: '',
`media-src 'self' https:`, `media-src 'self' https:`,
`img-src 'self' data: blob: https:`, `img-src 'self' data: blob: https:`,
`default-src 'none'`, `default-src 'none'`,