From 57bf30a984ccbe58e1506f903055a15c1ddaf8f2 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Tue, 17 Jul 2018 18:44:47 +0200
Subject: [PATCH] Fix CSP

---
 server.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/server.ts b/server.ts
index b23ec5105..104de2153 100644
--- a/server.ts
+++ b/server.ts
@@ -27,7 +27,7 @@ import { checkMissedConfig, checkFFmpeg, checkConfig, checkActivityPubUrls } fro
 
 // Do not use barrels because we don't want to load all modules here (we need to initialize database first)
 import { logger } from './server/helpers/logger'
-import { API_VERSION, CONFIG, STATIC_PATHS, CACHE } from './server/initializers/constants'
+import { API_VERSION, CONFIG, STATIC_PATHS, CACHE, REMOTE_SCHEME } from './server/initializers/constants'
 
 const missed = checkMissedConfig()
 if (missed.length !== 0) {
@@ -59,14 +59,14 @@ app.use(helmet({
   },
   contentSecurityPolicy: {
     directives: {
-      defaultSrc: ['*', 'data:', 'wss:', 'https:'],
+      defaultSrc: ['*', 'data:', REMOTE_SCHEME.WS + ':', REMOTE_SCHEME.HTTP + ':'],
       fontSrc: ["'self'", 'data:'],
       frameSrc: ["'none'"],
-      mediaSrc: ['*', 'https:'],
+      mediaSrc: ['*', REMOTE_SCHEME.HTTP + ':'],
       objectSrc: ["'none'"],
       scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
       styleSrc: ["'self'", "'unsafe-inline'"],
-      upgradeInsecureRequests: true
+      upgradeInsecureRequests: false
     },
     browserSniff: false // assumes a modern browser, but allows CDN in front
   },
-- 
2.25.1