linkPreviews: Enforce TLS validity

When a URL is prefixed with a TLS scheme, we should make sure that the remote provides a valid cert, even just for prefetches. Else MITM of such a site is trivial. This probably breaks some people with self signed cert, but the age where that was acceptable is past. We have free CAs now like Let's Encrypt.
2024-05-03 15:03:41 +02:00 · 2022-08-06 12:37:51 +02:00 · 2022-08-06 12:37:51 +02:00 · 621fa92036
parent 11f7ae98be
commit 621fa92036
1 changed files with 0 additions and 3 deletions
--- a/server/plugins/irc-events/link.ts
+++ b/server/plugins/irc-events/link.ts
@ -437,9 +437,6 @@ function fetch(uri: string, headers: Record<string, string>) {
 				retry: 0,
 				timeout: prefetchTimeout || 5000, // milliseconds
 				headers: getRequestHeaders(headers),
-				https: {
-					rejectUnauthorized: false,
-				},
 			});

 			gotStream