Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Add hidden setting to allow `unsafe-eval` in CSP 

This new setting defaults to `true` for now, until we make sure that all official plugins and theme components work without `unsafe-eval` in the CSP.
This commit is contained in:
Gerhard Schlager 2019-12-03 20:57:46 +01:00
parent 6fe27b9e97
commit 2cca14d510
2 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/site_settings.yml
View File

@ -1389,6 +1389,9 @@ security:
content_security_policy_script_src: content_security_policy_script_src:
type: list type: list
default: "" default: ""
content_security_policy_allow_unsafe_eval:
default: true
hidden: true
invalidate_inactive_admin_email_after_days: invalidate_inactive_admin_email_after_days:
default: 365 default: 365
min: 0 min: 0

2
lib/content_security_policy/default.rb
View File

@ -45,13 +45,13 @@ class ContentSecurityPolicy
def script_src def script_src
[ [
:unsafe_eval,
:report_sample, :report_sample,
"#{base_url}/logs/", "#{base_url}/logs/",
"#{base_url}/sidekiq/", "#{base_url}/sidekiq/",
"#{base_url}/mini-profiler-resources/", "#{base_url}/mini-profiler-resources/",
*script_assets *script_assets
].tap do |sources| ].tap do |sources|
sources << :unsafe_eval if SiteSetting.content_security_policy_allow_unsafe_eval
sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present? sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present? sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
end end