github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-01-18 11:02:46 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
b1f74ab59e
discourse/spec
History
David Taylor b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664) 
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
..
fabricators DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
fixtures DEV: Refactor subclasses in ThemeSettingsManager to individual files (#25605) 2024-02-08 12:59:52 +08:00
generator DEV: Improve site setting rename generator (#25354) 2024-01-25 10:45:46 +10:00
helpers FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
import_export DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
initializers DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
integration DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
integrity Enable Embroider/Webpack code spliting for Wizard (#24919) 2023-12-20 13:15:06 +00:00
jobs DEV: Drop deprecated Badge#image column (#25536) 2024-02-02 14:09:55 +08:00
lib FIX: is_my_own? check for users who are anonymously doing actions (#25716) 2024-02-16 14:28:12 +10:00
mailers DEV: Automatically update groups for test users with explicit TL (#25415) 2024-01-29 17:52:02 +08:00
migrations DEV: Switch over category settings to new table - Part 3 (#20657) 2023-09-12 09:51:49 +08:00
models FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
multisite DEV: Add S3 upload system specs using minio (#22975) 2023-08-23 11:18:33 +10:00
requests FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
script/import_scripts DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
serializers FIX: serialize can_ignore_users (#25672) 2024-02-14 15:17:19 +11:00
services FEATURE: Async load of category and chat hashtags (#25526) 2024-02-12 12:07:14 +02:00
support FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
system FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
tasks DEV: Add file_size_restriction site setting type (#24704) 2023-12-13 16:22:48 -07:00
views FIX: Use subfolder-safe url for category in html view (#24595) 2023-11-28 19:08:14 +08:00
rails_helper.rb DEV: Disable BlockRequestsMiddleware before every test (#25712) 2024-02-16 07:01:36 +08:00
regenerate_swagger_docs DEV: Add API docs for uploads and API doc watcher (#15387) 2021-12-23 08:40:15 +10:00
swagger_helper.rb DEV: Bump rswag-specs from 2.11.0 to 2.13.0 (#24654) 2023-12-07 08:16:47 +08:00