FIX: Set CSP base-uri to `self` (#13654)
This commit is contained in:
parent
236d6d91b2
commit
35110f6681
|
@ -9,7 +9,7 @@ class ContentSecurityPolicy
|
|||
@base_url = base_url
|
||||
@directives = {}.tap do |directives|
|
||||
directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
|
||||
directives[:base_uri] = [:none]
|
||||
directives[:base_uri] = [:self]
|
||||
directives[:object_src] = [:none]
|
||||
directives[:script_src] = script_src
|
||||
directives[:worker_src] = worker_src
|
||||
|
|
|
@ -19,9 +19,9 @@ describe ContentSecurityPolicy do
|
|||
end
|
||||
|
||||
describe 'base-uri' do
|
||||
it 'is set to none' do
|
||||
it 'is set to self' do
|
||||
base_uri = parse(policy)['base-uri']
|
||||
expect(base_uri).to eq(["'none'"])
|
||||
expect(base_uri).to eq(["'self'"])
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue