SuperSeriousBusiness/GoToSocial
1
1
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial synced 2025-06-05 21:59:39 +02:00
Code Issues Projects Releases Wiki Activity

[bugfix] CSP policy fixes for S3/object storage (#2104)

Browse Source 
* [bugfix] CSP policy fixes for S3 in non-proxied mode

* It should be img-src
* In both img-src and media-src we still need to include 'self'
This commit is contained in:
Daenney
2023-08-12 12:21:48 +02:00
committed by GitHub
parent b7274545e0
commit 5e368d3089
2 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/middleware/extraheaders.go
View File

@@ -83,11 +83,15 @@ func BuildContentSecurityPolicy() string {
// Construct endpoint URL.
s3EndpointURLStr := scheme + "://" + s3Endpoint
// When object storage is in use in non-proxied mode, GtS still serves some
// assets itself like the logo, so keep 'self' in there. That should also
// handle any redirects from the fileserver to object storage.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src
policy += "; image-src " + s3EndpointURLStr
policy += "; img-src 'self' " + s3EndpointURLStr
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src
policy += "; media-src " + s3EndpointURLStr
policy += "; media-src 'self' " + s3EndpointURLStr
return policy
}