Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
33,010 Commits 181 Branches 498 Tags 917 MiB
Commit Graph

3 Commits

Author SHA1 Message Date
Sam Saffron 4ea21fa2d0 DEV: use #frozen_string_literal: true on all spec 
This change both speeds up specs (less strings to allocate) and helps catch
cases where methods in Discourse are mutating inputs.

Overall we will be migrating everything to use #frozen_string_literal: true
it will take a while, but this is the first and safest move in this direction
 2019-04-30 10:27:42 +10:00
Penar Musaraj e11c6ffa89 FEATURE: allow extending CSP base-uri and object-src 
Plus, ensure :none is stripped, it cannot be combined with other sources
 2019-01-09 15:34:14 -05:00
Kyle Zhao 488fba3c5f
FEATURE: allow plugins and themes to extend the default CSP (#6704) 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
 2018-11-30 09:51:45 -05:00