FIX: Set CSP base-uri to `self` (#13654)

This commit is contained in:
Penar Musaraj 2021-07-07 09:43:48 -04:00 committed by GitHub
parent 236d6d91b2
commit 35110f6681
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 3 deletions

View File

@ -9,7 +9,7 @@ class ContentSecurityPolicy
@base_url = base_url
@directives = {}.tap do |directives|
directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
directives[:base_uri] = [:none]
directives[:base_uri] = [:self]
directives[:object_src] = [:none]
directives[:script_src] = script_src
directives[:worker_src] = worker_src

View File

@ -19,9 +19,9 @@ describe ContentSecurityPolicy do
end
describe 'base-uri' do
it 'is set to none' do
it 'is set to self' do
base_uri = parse(policy)['base-uri']
expect(base_uri).to eq(["'none'"])
expect(base_uri).to eq(["'self'"])
end
end