mirror of
https://github.com/superseriousbusiness/gotosocial
synced 2024-12-23 23:11:53 +01:00
[bugfix] CSP policy fixes for S3/object storage (#2104)
* [bugfix] CSP policy fixes for S3 in non-proxied mode * It should be img-src * In both img-src and media-src we still need to include 'self'
This commit is contained in:
parent
b7274545e0
commit
5e368d3089
@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string {
|
||||
// Construct endpoint URL.
|
||||
s3EndpointURLStr := scheme + "://" + s3Endpoint
|
||||
|
||||
// When object storage is in use in non-proxied mode, GtS still serves some
|
||||
// assets itself like the logo, so keep 'self' in there. That should also
|
||||
// handle any redirects from the fileserver to object storage.
|
||||
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
|
||||
policy += "; image-src " + s3EndpointURLStr
|
||||
policy += "; img-src 'self' " + s3EndpointURLStr
|
||||
|
||||
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
|
||||
policy += "; media-src " + s3EndpointURLStr
|
||||
policy += "; media-src 'self' " + s3EndpointURLStr
|
||||
|
||||
return policy
|
||||
}
|
||||
|
@ -44,25 +44,25 @@ func TestBuildContentSecurityPolicy(t *testing.T) {
|
||||
s3Endpoint: "some-bucket-provider.com",
|
||||
s3Proxy: false,
|
||||
s3Secure: true,
|
||||
expected: "default-src 'self'; image-src https://some-bucket-provider.com; media-src https://some-bucket-provider.com",
|
||||
expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com; media-src 'self' https://some-bucket-provider.com",
|
||||
},
|
||||
{
|
||||
s3Endpoint: "some-bucket-provider.com:6969",
|
||||
s3Proxy: false,
|
||||
s3Secure: true,
|
||||
expected: "default-src 'self'; image-src https://some-bucket-provider.com:6969; media-src https://some-bucket-provider.com:6969",
|
||||
expected: "default-src 'self'; img-src 'self' https://some-bucket-provider.com:6969; media-src 'self' https://some-bucket-provider.com:6969",
|
||||
},
|
||||
{
|
||||
s3Endpoint: "some-bucket-provider.com:6969",
|
||||
s3Proxy: false,
|
||||
s3Secure: false,
|
||||
expected: "default-src 'self'; image-src http://some-bucket-provider.com:6969; media-src http://some-bucket-provider.com:6969",
|
||||
expected: "default-src 'self'; img-src 'self' http://some-bucket-provider.com:6969; media-src 'self' http://some-bucket-provider.com:6969",
|
||||
},
|
||||
{
|
||||
s3Endpoint: "s3.nl-ams.scw.cloud",
|
||||
s3Proxy: false,
|
||||
s3Secure: true,
|
||||
expected: "default-src 'self'; image-src https://s3.nl-ams.scw.cloud; media-src https://s3.nl-ams.scw.cloud",
|
||||
expected: "default-src 'self'; img-src 'self' https://s3.nl-ams.scw.cloud; media-src 'self' https://s3.nl-ams.scw.cloud",
|
||||
},
|
||||
{
|
||||
s3Endpoint: "some-bucket-provider.com",
|
||||
|
Loading…
Reference in New Issue
Block a user