mirror of
https://github.com/discourse/discourse.git
synced 2024-11-26 19:03:48 +08:00
FEATURE: Completely remove unsafe-eval
from CSP
Plugins can add it via API if they need to use `eval`: ``` extend_content_security_policy(script_src: [:unsafe_eval]) ``` See https://meta.discourse.org/t/104243
This commit is contained in:
parent
1fb7a6297c
commit
f62215046f
|
@ -1404,9 +1404,6 @@ security:
|
|||
content_security_policy_script_src:
|
||||
type: list
|
||||
default: ""
|
||||
content_security_policy_allow_unsafe_eval:
|
||||
default: true
|
||||
hidden: true
|
||||
invalidate_inactive_admin_email_after_days:
|
||||
default: 365
|
||||
min: 0
|
||||
|
|
|
@ -51,7 +51,6 @@ class ContentSecurityPolicy
|
|||
"#{base_url}/mini-profiler-resources/",
|
||||
*script_assets
|
||||
].tap do |sources|
|
||||
sources << :unsafe_eval if SiteSetting.content_security_policy_allow_unsafe_eval
|
||||
sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
|
||||
sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user