fix CSP: img-src, media-srcfix/http_secury_plug

author: Maksim Pechnikov <parallel588@gmail.com> 2020-05-28 21:54:37 +0300
committer: Maksim Pechnikov <parallel588@gmail.com> 2020-05-28 21:54:37 +0300
commit: 9e8b28d2c838d9a689808de66bc6a799d61e985e (patch)
tree: b0ca76bcf72087591fb6c045747d186e56390fdf
parent: 1d30608e204b8c9a0afe817bbe1261b1a9af9240 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/pleroma/plugs/http_security_plug.ex b/lib/pleroma/plugs/http_security_plug.ex
index 6462797b6..2423715aa 100644
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@@ -50,7 +50,7 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
   end
 
   defp csp_string do
-    scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
+    scheme = Config.get([Pleroma.Web.Endpoint, :url, :scheme])
     static_url = Pleroma.Web.Endpoint.static_url()
     websocket_url = Pleroma.Web.Endpoint.websocket_url()
     report_uri = Config.get([:http_security, :report_uri])
@@ -75,8 +75,8 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
       "default-src 'none'",
       "base-uri 'self'",
       "frame-ancestors 'none'",
-      "img-src 'self' data: blob: https:",
-      "media-src 'self' https:",
+      "img-src 'self' data: blob: #{scheme}:",
+      "media-src 'self' #{scheme}:",
       "style-src 'self' 'unsafe-inline'",
       "font-src 'self'",
       "manifest-src 'self'",
author	Maksim Pechnikov <parallel588@gmail.com>	2020-05-28 21:54:37 +0300
committer	Maksim Pechnikov <parallel588@gmail.com>	2020-05-28 21:54:37 +0300
commit	9e8b28d2c838d9a689808de66bc6a799d61e985e (patch)
tree	b0ca76bcf72087591fb6c045747d186e56390fdf
parent	1d30608e204b8c9a0afe817bbe1261b1a9af9240 (diff)