remove Logster from CSP whitelist (#6593)
Logster 1.3 no longer has inline JS and is now CSP compliant
This commit is contained in:
parent
0cb33d2b52
commit
3493ea85cc
|
@ -5,10 +5,6 @@ class ContentSecurityPolicy
|
||||||
include GlobalPath
|
include GlobalPath
|
||||||
|
|
||||||
class Middleware
|
class Middleware
|
||||||
WHITELISTED_PATHS = %w(
|
|
||||||
/logs
|
|
||||||
)
|
|
||||||
|
|
||||||
def initialize(app)
|
def initialize(app)
|
||||||
@app = app
|
@app = app
|
||||||
end
|
end
|
||||||
|
@ -18,7 +14,6 @@ class ContentSecurityPolicy
|
||||||
_, headers, _ = response = @app.call(env)
|
_, headers, _ = response = @app.call(env)
|
||||||
|
|
||||||
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
|
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
|
||||||
return response if whitelisted?(request.path)
|
|
||||||
|
|
||||||
policy = ContentSecurityPolicy.new.build
|
policy = ContentSecurityPolicy.new.build
|
||||||
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
|
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
|
||||||
|
@ -32,14 +27,6 @@ class ContentSecurityPolicy
|
||||||
def html_response?(headers)
|
def html_response?(headers)
|
||||||
headers['Content-Type'] && headers['Content-Type'] =~ /html/
|
headers['Content-Type'] && headers['Content-Type'] =~ /html/
|
||||||
end
|
end
|
||||||
|
|
||||||
def whitelisted?(path)
|
|
||||||
if GlobalSetting.relative_url_root
|
|
||||||
path.slice!(/^#{Regexp.quote(GlobalSetting.relative_url_root)}/)
|
|
||||||
end
|
|
||||||
|
|
||||||
WHITELISTED_PATHS.any? { |whitelisted| path.start_with?(whitelisted) }
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.enabled?
|
def self.enabled?
|
||||||
|
|
|
@ -260,16 +260,6 @@ RSpec.describe ApplicationController do
|
||||||
expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
|
expect(response.headers).to_not include('Content-Security-Policy-Report-Only')
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'does not set CSP for /logs' do
|
|
||||||
sign_in(Fabricate(:admin))
|
|
||||||
SiteSetting.content_security_policy = true
|
|
||||||
|
|
||||||
get '/logs'
|
|
||||||
|
|
||||||
expect(response.status).to eq(200)
|
|
||||||
expect(response.headers).to_not include('Content-Security-Policy')
|
|
||||||
end
|
|
||||||
|
|
||||||
def parse(csp_string)
|
def parse(csp_string)
|
||||||
csp_string.split(';').map do |policy|
|
csp_string.split(';').map do |policy|
|
||||||
directive, *sources = policy.split
|
directive, *sources = policy.split
|
||||||
|
|
Loading…
Reference in New Issue