Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Set CSP base-uri to `self` (#13654)

This commit is contained in:
Penar Musaraj 2021-07-07 09:43:48 -04:00 committed by GitHub
parent 236d6d91b2
commit 35110f6681
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/content_security_policy/default.rb
View File

@ -9,7 +9,7 @@ class ContentSecurityPolicy
@base_url = base_url
@directives = {}.tap do |directives|
directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
directives[:base_uri] = [:none]
directives[:base_uri] = [:self]
directives[:object_src] = [:none]
directives[:script_src] = script_src
directives[:worker_src] = worker_src

4
spec/lib/content_security_policy_spec.rb
View File

@ -19,9 +19,9 @@ describe ContentSecurityPolicy do
end
describe 'base-uri' do
it 'is set to none' do
it 'is set to self' do
base_uri = parse(policy)['base-uri']
expect(base_uri).to eq(["'none'"])
expect(base_uri).to eq(["'self'"])
end
end