discourse/app/views
David Taylor b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664)
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
..
about FEATURE: Add plugin API to register About stat group (#17442) 2022-07-15 13:16:00 +10:00
admin/backups
application FIX: Offer site_logo_dark_url as an option for dark mode themes (#14361) 2021-09-16 17:47:51 -04:00
badges FIX: in case of orphan user records skip badge 2019-08-30 17:21:34 +10:00
categories UX: Include subcategories in crawler view (#21227) 2023-04-25 10:51:45 -04:00
common FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
default
email FIX: Validate unsubscribe key has an associated user (#19262) 2022-11-30 14:29:07 -03:00
embed FIX: Ensure embedded replies/reply-to links open in _blank (#14597) 2021-10-13 21:34:30 +01:00
exceptions FEATURE: Add page title to 404 pages (#16846) 2022-05-17 18:37:43 +03:00
finish_installation FIX: Broken images on subfolder installs (#19404) 2022-12-09 11:24:12 -07:00
groups FEATURE: add title tag for group detail page (#13702) 2021-07-12 20:05:57 +05:30
invites FIX: broken emoji url on password reset w/ subfolder (#19373) 2022-12-09 10:01:43 -07:00
layouts FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
list PERF: Avoid calling the same translation twice when rendering lists view (#22976) 2023-08-04 13:38:41 +08:00
metadata
offline UX: Remove Helvetica from our font stack (#11876) 2021-02-05 17:01:21 -05:00
posts FEATURE: use canonical links in posts.rss feed (#16190) 2022-03-15 20:17:06 +11:00
published_pages FIX: use normal logo in published pages if small not available. 2020-09-21 09:20:39 +05:30
qunit DEV: Use WebPack stats plugin to map entrypoints to chunks (#24239) 2023-11-07 10:24:49 +00:00
robots_txt removed broken link and comments from no_index.erb (#25648) 2024-02-14 12:09:24 +08:00
safe_mode DEV: Add safe_mode=deprecation_errors mode (#24870) 2023-12-13 14:06:59 +00:00
search
session FEATURE: Rename 'Discourse SSO' to DiscourseConnect (#11978) 2021-02-08 10:04:33 +00:00
sitemap FEATURE: Let sites add a sitemap.xml file. (#16357) 2022-04-12 10:33:59 -03:00
static DEV: add class for static login description section (#22002) 2023-06-08 19:51:41 +05:30
tags FIX: Use new tag routes (#8683) 2020-01-21 19:23:08 +02:00
topics FIX: set microdata schema for topic on missing first post (#25195) 2024-01-12 16:29:03 +05:30
user_api_keys
user_notifications FIX: Likes received count in digest email (#21458) 2023-05-09 19:19:26 +02:00
users FIX: Account activation under ember-5 build (#24722) 2023-12-05 17:49:40 +00:00