github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 11:23:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
488fba3c5f
discourse/lib/content_security_policy.rb
Kyle Zhao 488fba3c5f
FEATURE: allow plugins and themes to extend the default CSP (#6704) 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
2018-11-30 09:51:45 -05:00

29 lines
611 B
Ruby
Raw Blame History

# frozen_string_literal: true
require_dependency 'content_security_policy/builder'
require_dependency 'content_security_policy/extension'
class ContentSecurityPolicy
class << self
def policy
new.build
end
def base_url
@base_url || Discourse.base_url
end
attr_writer :base_url
end
def build
builder = Builder.new
Extension.theme_extensions.each { |extension| builder << extension }
Extension.plugin_extensions.each { |extension| builder << extension }
builder << Extension.site_setting_extension
builder.build
end
end
CSP = ContentSecurityPolicy
Reference in New Issue View Git Blame Copy Permalink