Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/views
History
David Taylor b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664) 
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
 		2024-02-16 11:16:54 +00:00
..
about FEATURE: Add plugin API to register About stat group (#17442) 2022-07-15 13:16:00 +10:00
admin/backups
application
badges
categories UX: Include subcategories in crawler view (#21227) 2023-04-25 10:51:45 -04:00
common FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
default
email FIX: Validate unsubscribe key has an associated user (#19262) 2022-11-30 14:29:07 -03:00
embed
exceptions
finish_installation FIX: Broken images on subfolder installs (#19404) 2022-12-09 11:24:12 -07:00
groups
invites FIX: broken emoji url on password reset w/ subfolder (#19373) 2022-12-09 10:01:43 -07:00
layouts FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
list PERF: Avoid calling the same translation twice when rendering lists view (#22976) 2023-08-04 13:38:41 +08:00
metadata
offline
posts
published_pages
qunit DEV: Use WebPack stats plugin to map entrypoints to chunks (#24239) 2023-11-07 10:24:49 +00:00
robots_txt removed broken link and comments from no_index.erb (#25648) 2024-02-14 12:09:24 +08:00
safe_mode DEV: Add `safe_mode=deprecation_errors` mode (#24870) 2023-12-13 14:06:59 +00:00
search
session
sitemap
static DEV: add class for static login description section (#22002) 2023-06-08 19:51:41 +05:30
tags
topics FIX: set microdata schema for topic on missing first post (#25195) 2024-01-12 16:29:03 +05:30
user_api_keys
user_notifications FIX: Likes received count in digest email (#21458) 2023-05-09 19:19:26 +02:00
users FIX: Account activation under ember-5 build (#24722) 2023-12-05 17:49:40 +00:00