github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-29 01:31:35 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
52,135 Commits 294 Branches 514 Tags
1a8b1fc6981c79e7776ff834bb8faa3c4961c061
Commit Graph

10 Commits

Author SHA1 Message Date
OsamaSayegh
0976c8fad6 SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00
Blake Erickson
eed7d86601 SECURITY: Don't reuse CSP nonce between requests (#22544) 
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
 2023-07-11 15:24:36 -06:00
David Taylor
6417173082 DEV: Apply syntax_tree formatting to lib/* 2023-01-09 12:10:19 +00:00
David Taylor
174a8b431b DEV: Support passing relative URLs CSP builder (#19176) 
Raw paths like `/test/path` are not supported natively in the CSP. This commit prepends the site's base URL to these paths. This allows plugins to add 'local' assets to the CSP without needing to hardcode the site's hostname.
 2022-11-24 11:27:47 +00:00
Loïc Guitaut
008b700a3f DEV: Upgrade to Rails 7 
This patch upgrades Rails to version 7.0.2.4.
 2022-04-28 11:51:03 +02:00
Penar Musaraj
8336e732d3 DEV: Add manifest-src to CSP (#13319) 
Defaults to `manifest-src: 'self'` and allows plugins/themes to extend it.
 2021-06-08 09:32:31 -04:00
Penar Musaraj
f90c4bd6a1 DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 14:59:15 -04:00
David Taylor
19814c5e81 FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) 
- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly
 2020-03-19 19:54:42 +00:00
Penar Musaraj
e11c6ffa89 FEATURE: allow extending CSP base-uri and object-src 
Plus, ensure :none is stripped, it cannot be combined with other sources
 2019-01-09 15:34:14 -05:00
Kyle Zhao
488fba3c5f FEATURE: allow plugins and themes to extend the default CSP (#6704) 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
 2018-11-30 09:51:45 -05:00