github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:11:08 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: correctly strip unneeded csp directives under strict-dynamic (#26180)

Browse Source
This commit is contained in:
David Taylor
2024-03-14 18:50:09 +00:00
committed by GitHub
parent b16f212c47
commit 2546817d07
4 changed files with 19 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
spec/requests/application_controller_spec.rb
View File

@ -647,14 +647,14 @@ RSpec.describe ApplicationController do
get "/"
script_src = parse(response.headers["Content-Security-Policy"])["script-src"]
expect(script_src).to_not include("'unsafe-inline'")
expect(script_src).to_not include("'unsafe-eval'")
SiteSetting.content_security_policy_script_src = "'unsafe-inline'"
SiteSetting.content_security_policy_script_src = "'unsafe-eval'"
get "/"
script_src = parse(response.headers["Content-Security-Policy"])["script-src"]
expect(script_src).to include("'unsafe-inline'")
expect(script_src).to include("'unsafe-eval'")
end
it "does not set CSP when responding to non-HTML" do