Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/config
History
David Taylor b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664) 
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
 		2024-02-16 11:16:54 +00:00
..
cloud/cloud66 DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
environments DEV: Create unlogged tables by default in the test environment (#25451) 2024-01-29 09:57:58 +08:00
initializers FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
locales FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
application.rb FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
boot.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
cdn.yml.sample
database.yml DEV: Fix checkout time not properly enabled on CI (#25621) 2024-02-09 06:02:42 +08:00
deploy.rb.sample
dev_defaults.yml DEV: Convert `admin-incoming-email` modal to component-based API (#22701) 2023-07-20 16:31:20 -05:00
discourse.config.sample
discourse.pill.sample
discourse_defaults.conf DEV: Add `disable_service_worker_cache` global setting (#25589) 2024-02-07 10:44:12 +00:00
environment.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
logrotate.conf
multisite.yml.production-sample DEV: Remove `db_id` from sample multisite config. 2020-05-29 10:48:29 +08:00
nginx.global.conf
nginx.sample.conf FEATURE: Add support for AVIF images (#21680) 2023-05-24 16:13:36 -03:00
projections.json DEV: Use .hbr for raw template file extension (#8883) 2020-02-11 13:38:12 -06:00
puma.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
routes.rb FEATURE: Groundwork for schema theme settings UI (#25673) 2024-02-16 09:31:49 +03:00
sidekiq.yml FEATURE: introduce ultra_low priority queue 2019-01-17 14:53:19 +11:00
site_settings.yml FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
spring.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
thin.yml.sample
unicorn.conf.rb DEV: Fix various rubocop lints (#24749) 2023-12-06 23:25:00 +01:00
unicorn_launcher FIX: Increase timeout when trying to reload unicorn. 2018-12-04 13:43:14 +08:00
unicorn_upstart.conf