discourse

mirror of https://github.com/discourse/discourse.git synced 2024-11-23 06:49:14 +08:00

Author	SHA1	Message	Date
Gerhard Schlager	f62215046f	FEATURE: Completely remove `unsafe-eval` from CSP Plugins can add it via API if they need to use `eval`: ``` extend_content_security_policy(script_src: [:unsafe_eval]) ``` See https://meta.discourse.org/t/104243	2019-12-13 12:38:32 +01:00
Gerhard Schlager	2cca14d510	FEATURE: Add hidden setting to allow `unsafe-eval` in CSP This new setting defaults to `true` for now, until we make sure that all official plugins and theme components work without `unsafe-eval` in the CSP.	2019-12-03 21:09:08 +01:00
David Taylor	705c898c21	FEATURE: Calculate CSP based on active themes (#6976 )	2019-02-11 12:32:04 +00:00
Penar Musaraj	e11c6ffa89	FEATURE: allow extending CSP base-uri and object-src Plus, ensure :none is stripped, it cannot be combined with other sources	2019-01-09 15:34:14 -05:00
Kyle Zhao	dec8e5879a	FEATURE: set CSP base-uri and object-src to none (#6863 )	2019-01-09 15:04:50 -05:00
Kyle Zhao	b0c2e9bb05	minor changes to default script-src (#6770 ) - add report-sample to force require a sample of the violating code - do not whitelist GA/GTM's entire domain	2018-12-14 08:17:31 -05:00
Kyle Zhao	488fba3c5f	FEATURE: allow plugins and themes to extend the default CSP (#6704 ) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now	2018-11-30 09:51:45 -05:00

7 Commits