remove Logster from CSP whitelist (#6593)
Logster 1.3 no longer has inline JS and is now CSP compliant
This commit is contained in:
parent
0cb33d2b52
commit
3493ea85cc
|
@ -5,10 +5,6 @@ class ContentSecurityPolicy
|
|||
include GlobalPath
|
||||
|
||||
class Middleware
|
||||
WHITELISTED_PATHS = %w(
|
||||
/logs
|
||||
)
|
||||
|
||||
def initialize(app)
|
||||
@app = app
|
||||
end
|
||||
|
@ -18,7 +14,6 @@ class ContentSecurityPolicy
|
|||
_, headers, _ = response = @app.call(env)
|
||||
|
||||
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
|
||||
return response if whitelisted?(request.path)
|
||||
|
||||
policy = ContentSecurityPolicy.new.build
|
||||
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
|
||||
|
@ -32,14 +27,6 @@ class ContentSecurityPolicy
|
|||
def html_response?(headers)
|
||||
headers['Content-Type'] && headers['Content-Type'] =~ /html/
|
||||
end
|
||||
|
||||
def whitelisted?(path)
|
||||
if GlobalSetting.relative_url_root
|
||||
path.slice!(/^#{Regexp.quote(GlobalSetting.relative_url_root)}/)
|
||||
end
|
||||
|
||||
WHITELISTED_PATHS.any? { |whitelisted| path.start_with?(whitelisted) }
|
||||
end
|
||||
end
|
||||
|
||||
def self.enabled?
|
||||
|
|
|
@ -260,16 +260,6 @@ RSpec.describe ApplicationController do
|
|||
expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
|
||||
end
|
||||
|
||||
it 'does not set CSP for /logs' do
|
||||
sign_in(Fabricate(:admin))
|
||||
SiteSetting.content_security_policy = true
|
||||
|
||||
get '/logs'
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
expect(response.headers).to_not include('Content-Security-Policy')
|
||||
end
|
||||
|
||||
def parse(csp_string)
|
||||
csp_string.split(';').map do |policy|
|
||||
directive, *sources = policy.split
|
||||
|
|
Loading…
Reference in New Issue