FEATURE: set CSP base-uri and object-src to none (#6863)

2025-05-23 12:11:12 +08:00 · 2019-01-09 15:04:50 -05:00
parent af227cada5
commit dec8e5879a
2 changed files with 16 additions and 0 deletions
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@ -7,6 +7,8 @@ class ContentSecurityPolicy

    def initialize
      @directives = {}.tap do |directives|
+        directives[:base_uri] = [:none]
+        directives[:object_src] = [:none]
        directives[:script_src] = script_src
        directives[:worker_src] = worker_src
        directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports
--- a/spec/lib/content_security_policy_spec.rb
+++ b/spec/lib/content_security_policy_spec.rb
@ -16,6 +16,20 @@ describe ContentSecurityPolicy do
    end
  end

+  describe 'base-uri' do
+    it 'is set to none' do
+      base_uri = parse(policy)['base-uri']
+      expect(base_uri).to eq(["'none'"])
+    end
+  end
+
+  describe 'object-src' do
+    it 'is set to none' do
+      object_srcs = parse(policy)['object-src']
+      expect(object_srcs).to eq(["'none'"])
+    end
+  end
+
  describe 'worker-src' do
    it 'always has self and blob' do
      worker_srcs = parse(policy)['worker-src']