Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/config/initializers
History
David Taylor b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664) 
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
 		2024-02-16 11:16:54 +00:00
..
000-development_reload_warnings.rb DEV: Further refine development reload for plugin files (#22141) 2023-06-16 16:15:15 +08:00
000-mini_sql.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
000-post_migration.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
000-trace_pg_connections.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
000-zeitwerk.rb DEV: Seperate concerns of tracking GC stat from `MethodProfiler` (#22921) 2023-08-02 10:46:37 +08:00
001-redis.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
002-freedom_patches.rb FIX: deprecation warning - initialization autoloaded the constant (#12400) 2021-03-16 09:47:57 +11:00
002-rails_failover.rb FEATURE: Introduce pg_force_readonly_mode GlobalSetting (#19612) 2023-01-19 13:59:11 +00:00
004-message_bus.rb DEV: Patch capybara to ignore client-triggered errors (#19972) 2023-01-24 11:07:29 +00:00
005-site_settings.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
006-ensure_login_hint.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
006-mini_profiler.rb FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
008-rack-cors.rb FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661) 2023-12-01 12:57:11 +00:00
009-omniauth.rb DEV: Drop legacy OpenID 2.0 support (#8894) 2020-02-07 17:32:35 +00:00
012-web_hook_events.rb FEATURE: Add webhooks for user suspend and unsuspend (#23684) 2023-09-28 10:51:05 +02:00
013-excon_defaults.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
014-track-setting-changes.rb PERF: Cache ToS and Privacy Policy paths (#21860) 2023-06-07 21:31:20 +03:00
099-anon-cache.rb FEATURE: Add experimental option for strict-dynamic CSP (#25664) 2024-02-16 11:16:54 +00:00
099-drain_pool.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-i18n.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-logster.rb FIX: Logster backlink config in production (#25685) 2024-02-15 13:48:36 +11:00
100-oj.rb DEV: default Oj to compat mode 2020-01-16 07:52:28 +11:00
100-onebox_options.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-push-notifications.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-quiet_logger.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-regex-timeout.rb DEV: Introduce regex_timeout_seconds global setting (#20774) 2023-03-22 12:01:35 +00:00
100-secret_token.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
100-session_store.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-sidekiq.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-silence_logger.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-strong_parameters.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
100-verify_config.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
100-wrap_parameters.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
101-lograge.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
102-truncate-logs.rb SECURITY: Add a default limit as to when logs should be truncated 2023-10-16 10:34:38 -04:00
200-first_middlewares.rb DEV: Block all incoming requests before resetting Capybara session (#25692) 2024-02-15 16:36:12 +08:00
300-perf.rb FEATURE: add hook after all initializers 2019-08-26 10:49:26 +10:00
400-deprecations.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
assets.rb DEV: Update confirm-email flows to use central 2fa and ember rendering (#25404) 2024-01-30 10:32:42 +00:00
filter_parameter_logging.rb DEV: Apply syntax_tree formatting to `config/*` 2023-01-09 11:13:29 +00:00
new_framework_defaults_7_0.rb Revert "DEV: Migrate existing cookies to Rails 7 format" 2023-01-12 12:07:49 +01:00