abunchtell
/
mastodon
1
0
複製 0
程式碼 問題管理 0 Activity
瀏覽代碼

Fix CSP needlessly allowing blob URLs in script-src (#11620)

master^2
ThibG 4 年之前
committed by Eugen Rochko
父節點
dff46b260b
當前提交
8203e24cf4
共有 1 個文件被更改,包括 4 次插入2 次删除
分割檢視
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -2
      config/initializers/content_security_policy.rb

+ 4
- 2
config/initializers/content_security_policy.rb 查看文件

@@ -31,10 +31,12 @@ Rails.application.config.content_security_policy do |p|
webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }

p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls
p.script_src :self, :blob, :unsafe_inline, :unsafe_eval, assets_host
p.script_src :self, :unsafe_inline, :unsafe_eval, assets_host
p.worker_src :self, :blob, assets_host
else
p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url
p.script_src :self, :blob, assets_host
p.script_src :self, assets_host
p.worker_src :self, :blob, assets_host
end
end



Write Preview
Loading…
取消
儲存