Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
33,087 Commits 177 Branches 498 Tags 915 MiB
Commit Graph

5 Commits

Author SHA1 Message Date
David Taylor 705c898c21
FEATURE: Calculate CSP based on active themes (#6976) 2019-02-11 12:32:04 +00:00
Penar Musaraj e11c6ffa89 FEATURE: allow extending CSP base-uri and object-src 
Plus, ensure :none is stripped, it cannot be combined with other sources
 2019-01-09 15:34:14 -05:00
Kyle Zhao dec8e5879a FEATURE: set CSP base-uri and object-src to none (#6863) 2019-01-09 15:04:50 -05:00
Kyle Zhao b0c2e9bb05
minor changes to default script-src (#6770) 
- add report-sample to force require a sample of the violating code
- do not whitelist GA/GTM's entire domain
 2018-12-14 08:17:31 -05:00
Kyle Zhao 488fba3c5f
FEATURE: allow plugins and themes to extend the default CSP (#6704) 
* FEATURE: allow plugins and themes to extend the default CSP

For plugins:

```
extend_content_security_policy(
  script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'],
  style_src: ['https://domain.com/style.css']
)
```

For themes and components:

```
extend_content_security_policy:
  type: list
  default: "script_src:https://domain.com/|style_src:https://domain.com"
```

* clear CSP base url before each test

we have a test that stubs `Rails.env.development?` to true

* Only allow extending directives that core includes, for now
 2018-11-30 09:51:45 -05:00