[3.19] backports/thelounge: allow self https for connect-src #416

Merged
ayakael merged 1 commit from thelounge/https-connect-src-319 into v3.19 2024-02-27 23:08:26 +00:00
2 changed files with 16 additions and 1 deletions

View file

@ -2,7 +2,7 @@
# Maintainer: Kay Thomas <kaythomas@pm.me>
pkgname=thelounge
pkgver=4.4.1
pkgrel=0
pkgrel=1
pkgdesc="Modern, responsive, cross-platform, self-hosted web IRC client"
url="https://thelounge.chat"
# x86: textrels
@ -19,6 +19,7 @@ install="$pkgname.pre-install $pkgname.post-install"
source="$pkgname-$pkgver.tar.gz::https://github.com/thelounge/thelounge/archive/v$pkgver.tar.gz
no-version-test.patch
thelounge.initd
allow-https-for-connect-src.patch
"
options="net" # npm
@ -78,4 +79,5 @@ sha512sums="
7695121a713a23688bc6f52dae2574bab1288eea930fd50d4dd85037233e9f23bd8e460980c69cdd14ea8648da4720d84e8196547b6a18e69d2f478b43d6e29a thelounge-4.4.1.tar.gz
cbf80e23b0af8f0185699d6b03816c645c51b85fff7f163d3cd3d00296ed816b6ab01529b359fbfd549a79e8adb72bbc83bc7a389cf13e0afd50636ff79a138e no-version-test.patch
f367d27ebcc412ff03c12ae98e50aeae5051fb5ffa9da6220f664c59993ed0e330b55b3b41fe941d546634901163d006e318891b4b886f6c49a93e0888fccd3e thelounge.initd
212e468d6cedaa528b7fad534b8ba0e7a3d69137940cdabd22dbe34375491900d5b7d577550aa3b245ad7775488a90e308019db55ff15e8ede105c4b9c15b015 allow-https-for-connect-src.patch
"

View file

@ -0,0 +1,13 @@
diff --git a/server/server.ts b/server/server.ts.orig
index 7a1514e..5ecdea9 100644
--- a/server/server.ts
+++ b/server/server.ts.orig
@@ -377,7 +377,7 @@ function addSecurityHeaders(req: Request, res: Response, next: NextFunction) {
"default-src 'none'", // default to nothing
"base-uri 'none'", // disallow <base>, has no fallback to default-src
"form-action 'self'", // 'self' to fix saving passwords in Firefox, even though login is handled in javascript
- "connect-src 'self' ws: wss:", // allow self for polling; websockets
+ "connect-src 'self' ws: wss: https:", // allow self for polling; websockets
"style-src 'self' https: 'unsafe-inline'", // allow inline due to use in irc hex colors
"script-src 'self'", // javascript
"worker-src 'self'", // service worker