Merge pull request #7781 from SuperTux88/enable-csp-by-default

Enable Content-Security-Policy header by default
2018-06-16 21:20:26 +02:00 · 2018-06-16 21:20:26 +02:00 · 299c04a24a
commit 299c04a24a
parent 8983901b1a c0a4895854
3 changed files with 6 additions and 5 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -3,6 +3,7 @@
 ## Refactor
 * Add bootstrapping for using ECMAScript 6 with automatic transpiling for compatibility [#7581](https://github.com/diaspora/diaspora/pull/7581)
 * Remove backporting of mention syntax [#7788](https://github.com/diaspora/diaspora/pull/7788)
+* Enable Content-Security-Policy header by default [#7781](https://github.com/diaspora/diaspora/pull/7781)

 ## Bug fixes

--- a/config/defaults.yml
+++ b/config/defaults.yml
@ -150,7 +150,7 @@ defaults:
      title: 'diaspora* social network'
      description: 'diaspora* is the online social world where you are in control.'
    csp:
-      report_only: true
+      report_only: false
      report_uri:
  services:
    facebook:
--- a/config/diaspora.yml.example
+++ b/config/diaspora.yml.example
@ -571,10 +571,10 @@ configuration: ## Section
    ## is blocked by CSP.
    csp:

-      ## Report-Only header (default=true)
-      ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
-      ## this to false, the "Content-Security-Policy" header is added instead.
-      #report_only: false
+      ## Report-Only header (default=false)
+      ## By default diaspora* adds a "Content-Security-Policy" header. If you set
+      ## this to true, the "Content-Security-Policy-Report-Only" header is added instead.
+      #report_only: true

      ## CSP report URI (default=)
      ## You can set an URI here, where the user agent reports violations as JSON document via a POST request.