From c934889b58fc23e59ab5d9d494ef7e0d46734268 Mon Sep 17 00:00:00 2001
From: Thomas Citharel <tcit@tcit.fr>
Date: Fri, 26 Feb 2021 11:44:27 +0100
Subject: [PATCH] Allow every origin for connect-src because of Webfinger

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
---
 lib/web/plugs/http_security_plug.ex | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/web/plugs/http_security_plug.ex b/lib/web/plugs/http_security_plug.ex
index f66cb9aa3..ab10f77d9 100644
--- a/lib/web/plugs/http_security_plug.ex
+++ b/lib/web/plugs/http_security_plug.ex
@@ -52,8 +52,9 @@ defmodule Mobilizon.Web.Plugs.HTTPSecurityPlug do
 
     media_src = ["media-src 'self' "] ++ Config.get([:http_security, :csp_policy, :media_src])
 
+    # Connect-src is available for any origin because of webfinger query to redirect to content
     connect_src =
-      ["connect-src 'self' blob: ", static_url, ?\s, websocket_url] ++
+      ["connect-src 'self' * blob: ", static_url, ?\s, websocket_url] ++
         Config.get([:http_security, :csp_policy, :connect_src])
 
     script_src =