github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-26 21:33:40 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: Completely remove unsafe-eval from CSP

Browse Source 
Plugins can add it via API if they need to use `eval`:
```
extend_content_security_policy(script_src: [:unsafe_eval])
```

See https://meta.discourse.org/t/104243
This commit is contained in:
Gerhard Schlager 2019-12-13 12:27:16 +01:00
parent 1fb7a6297c
commit f62215046f
2 changed files with 0 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/site_settings.yml
View File

@ -1404,9 +1404,6 @@ security:
content_security_policy_script_src: content_security_policy_script_src:
type: list type: list
default: "" default: ""
content_security_policy_allow_unsafe_eval:
default: true
hidden: true
invalidate_inactive_admin_email_after_days: invalidate_inactive_admin_email_after_days:
default: 365 default: 365
min: 0 min: 0

1
lib/content_security_policy/default.rb
View File

@ -51,7 +51,6 @@ class ContentSecurityPolicy
"#{base_url}/mini-profiler-resources/", "#{base_url}/mini-profiler-resources/",
*script_assets *script_assets
].tap do |sources| ].tap do |sources|
sources << :unsafe_eval if SiteSetting.content_security_policy_allow_unsafe_eval
sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present? sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present? sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
end end