github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-24 17:15:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
51,364 Commits 190 Branches 500 Tags 938 MiB
b6d9aa5a4c
Commit Graph

10 Commits

Author SHA1 Message Date
OsamaSayegh
0976c8fad6
SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00
Blake Erickson
eed7d86601
SECURITY: Don't reuse CSP nonce between requests (#22544) 
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
 2023-07-11 15:24:36 -06:00
David Taylor
6417173082
DEV: Apply syntax_tree formatting to lib/* 2023-01-09 12:10:19 +00:00
David Taylor
174a8b431b
DEV: Support passing relative URLs CSP builder (#19176) 
Raw paths like `/test/path` are not supported natively in the CSP. This commit prepends the site's base URL to these paths. This allows plugins to add 'local' assets to the CSP without needing to hardcode the site's hostname.
 2022-11-24 11:27:47 +00:00
Loïc Guitaut
008b700a3f DEV: Upgrade to Rails 7 
This patch upgrades Rails to version 7.0.2.4.
 2022-04-28 11:51:03 +02:00
Penar Musaraj
8336e732d3
DEV: Add manifest-src to CSP (#13319) 
Defaults to `manifest-src: 'self'` and allows plugins/themes to extend it.
 2021-06-08 09:32:31 -04:00
Penar Musaraj
f90c4bd6a1
DEV: Allow plugins to extend frame-ancestors (#13316) 2021-06-07 14:59:15 -04:00
David Taylor
19814c5e81
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) 
- Define the CSP based on the requested domain / scheme (respecting force_https)
- Update EnforceHostname middleware to allow secondary domains, add specs
- Add URL scheme to anon cache key so that CSP headers are cached correctly
 2020-03-19 19:54:42 +00:00
Penar Musaraj
e11c6ffa89 FEATURE: allow extending CSP base-uri and object-src 
Plus, ensure :none is stripped, it cannot be combined with other sources
 2019-01-09 15:34:14 -05:00
Kyle Zhao
488fba3c5f
FEATURE: allow plugins and themes to extend the default CSP (#6704) 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
 2018-11-30 09:51:45 -05:00