mirror of
https://github.com/discourse/discourse.git
synced 2025-05-29 01:31:35 +08:00
DEV: Change default of cross_origin_opener_policy_header
(#24940)
Why this change? This is part of our efforts to harden the security of the Discourse application. Setting the `CROSS_ORIGIN_OPENER_POLICY` header to `same-origin-allow-popups` by default makes the application safer. We have opted to make this a hidden site setting because most admins will never have to care about this setting so we're are opting not to show it. If they do have to change it, they can still do so by setting the `DISCOURSE_CROSS_ORIGIN_OPENER_POLICY` env.
This commit is contained in:

committed by
GitHub

parent
3380d283c9
commit
38abc0d922
@ -993,9 +993,7 @@ class ApplicationController < ActionController::Base
|
||||
end
|
||||
|
||||
def set_cross_origin_opener_policy_header
|
||||
if SiteSetting.cross_origin_opener_policy_header != "unsafe-none"
|
||||
response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header
|
||||
end
|
||||
response.headers["Cross-Origin-Opener-Policy"] = SiteSetting.cross_origin_opener_policy_header
|
||||
end
|
||||
|
||||
protected
|
||||
|
Reference in New Issue
Block a user