nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #7730 from Fensterbank/fix-profile-picture-csp

Browse source 
Allow blob: URIs to be used as a content source in CSP header
This commit is contained in:
Benjamin Neff 2018-03-04 01:49:01 +01:00
commit e7c6496a09
No known key found for this signature in database
GPG key ID: 971464C3F1A90194
1 changed files with 14 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
config/initializers/secure_headers.rb
View file

@ -3,21 +3,23 @@
SecureHeaders::Configuration.default do |config| SecureHeaders::Configuration.default do |config|
config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL
# rubocop:disable Lint/PercentStringArray
csp = { csp = {
default_src: %w('none'), default_src: %w['none'],
child_src: %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com child_src: %w['self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
www.instagram.com), www.instagram.com],
connect_src: %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com), connect_src: %w['self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com],
font_src: %w('self'), font_src: %w['self'],
form_action: %w('self' platform.twitter.com syndication.twitter.com), form_action: %w['self' platform.twitter.com syndication.twitter.com],
frame_ancestors: %w('self'), frame_ancestors: %w['self'],
img_src: %w('self' data: *), img_src: %w['self' data: blob: *],
media_src: %w(https:), media_src: %w[https:],
script_src: %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com script_src: %w['self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
embedr.flickr.com platform.instagram.com 'unsafe-inline'), embedr.flickr.com platform.instagram.com 'unsafe-inline'],
style_src: %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com) style_src: %w['self' 'unsafe-inline' platform.twitter.com *.twimg.com]
} }
# rubocop:enable Lint/PercentStringArray
if AppConfig.environment.assets.host.present? if AppConfig.environment.assets.host.present?
asset_host = Addressable::URI.parse(AppConfig.environment.assets.host.get).host asset_host = Addressable::URI.parse(AppConfig.environment.assets.host.get).host