github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-25 19:29:34 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: allow plugins and themes to extend the default CSP (#6704)

Browse Source 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
This commit is contained in:
Kyle Zhao
2018-11-30 09:51:45 -05:00
committed by GitHub
parent 7dec963f2e
commit 488fba3c5f
13 changed files with 384 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/plugin/instance.rb
View File

@ -32,7 +32,9 @@ class Plugin::Instance
:locales,
:service_workers,
:styles,
:themes].each do |att|
:themes,
:csp_extensions,
].each do |att|
class_eval %Q{
def #{att}
@#{att} ||= []
@ -361,6 +363,10 @@ class Plugin::Instance
DiscoursePluginRegistry.register_svg_icon(icon)
end
def extend_content_security_policy(extension)
csp_extensions << extension
end
# @option opts [String] :name
# @option opts [String] :nativeName
# @option opts [String] :fallbackLocale