mirrors/gotosocial
1
0
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial.git synced 2025-10-29 01:32:25 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

[bugfix] CSP policy fixes for S3/object storage (#2104)

Browse source 
* [bugfix] CSP policy fixes for S3 in non-proxied mode

* It should be img-src
* In both img-src and media-src we still need to include 'self'
This commit is contained in:
Daenney 2023-08-12 12:21:48 +02:00 committed by GitHub
commit 5e368d3089
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

8
internal/middleware/extraheaders.go
View file

@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string {
// Construct endpoint URL.
s3EndpointURLStr := scheme + "://" + s3Endpoint
// When object storage is in use in non-proxied mode, GtS still serves some
// assets itself like the logo, so keep 'self' in there. That should also
// handle any redirects from the fileserver to object storage.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
policy += "; image-src " + s3EndpointURLStr
policy += "; img-src 'self' " + s3EndpointURLStr
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
policy += "; media-src " + s3EndpointURLStr
policy += "; media-src 'self' " + s3EndpointURLStr
return policy
}