github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 17:01:09 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: set CSP base-uri and object-src to none (#6863)

Browse Source
This commit is contained in:
Kyle Zhao
2019-01-09 15:04:50 -05:00
committed by Penar Musaraj
parent af227cada5
commit dec8e5879a
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/content_security_policy/default.rb
View File

@ -7,6 +7,8 @@ class ContentSecurityPolicy
def initialize def initialize
@directives = {}.tap do |directives| @directives = {}.tap do |directives|
directives[:base_uri] = [:none]
directives[:object_src] = [:none]
directives[:script_src] = script_src directives[:script_src] = script_src
directives[:worker_src] = worker_src directives[:worker_src] = worker_src
directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports

14
spec/lib/content_security_policy_spec.rb
View File

@ -16,6 +16,20 @@ describe ContentSecurityPolicy do
end end
end end
describe 'base-uri' do
it 'is set to none' do
base_uri = parse(policy)['base-uri']
expect(base_uri).to eq(["'none'"])
end
end
describe 'object-src' do
it 'is set to none' do
object_srcs = parse(policy)['object-src']
expect(object_srcs).to eq(["'none'"])
end
end
describe 'worker-src' do describe 'worker-src' do
it 'always has self and blob' do it 'always has self and blob' do
worker_srcs = parse(policy)['worker-src'] worker_srcs = parse(policy)['worker-src']