Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FEATURE: allow extending CSP base-uri and object-src 

Plus, ensure :none is stripped, it cannot be combined with other sources
This commit is contained in:
Penar Musaraj 2019-01-09 15:33:42 -05:00
parent 9ba8bfb1aa
commit e11c6ffa89
3 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/content_security_policy/builder.rb
View File

@ -4,13 +4,14 @@ require_dependency 'content_security_policy/default'
class ContentSecurityPolicy
class Builder
EXTENDABLE_DIRECTIVES = %i[
base_uri
object_src
script_src
worker_src
].freeze
# Make extending these directives no-op, until core includes them in default CSP
TO_BE_EXTENDABLE = %i[
base_uri
connect_src
default_src
font_src
@ -20,7 +21,6 @@ class ContentSecurityPolicy
img_src
manifest_src
media_src
object_src
prefetch_src
style_src
].freeze
@ -65,6 +65,8 @@ class ContentSecurityPolicy
else
@directives[directive] << sources
end
@directives[directive].delete(:none) if @directives[directive].count > 1
end
def extendable?(directive)

3
spec/fixtures/plugins/csp_extension/plugin.rb vendored
View File

@ -4,5 +4,6 @@
# authors: xrav3nz
extend_content_security_policy(
script_src: ['https://from-plugin.com']
script_src: ['https://from-plugin.com'],
object_src: ['https://test-stripping.com']
)

2
spec/lib/content_security_policy_spec.rb
View File

@ -111,6 +111,8 @@ describe ContentSecurityPolicy do
plugin.enabled = true
expect(parse(policy)['script-src']).to include('https://from-plugin.com')
expect(parse(policy)['object-src']).to include('https://test-stripping.com')
expect(parse(policy)['object-src']).to_not include("'none'")
plugin.enabled = false
expect(parse(policy)['script-src']).to_not include('https://from-plugin.com')