From 358fbeba1434a23f2da16955b4f753afd23c39f4 Mon Sep 17 00:00:00 2001
From: Jeff Atwood <jatwood@codinghorror.com>
Date: Wed, 19 Dec 2018 16:54:45 -0800
Subject: [PATCH] add CSP info for Discourse 2.2

---
 docs/SECURITY.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 27d4fefd37f..190282feec2 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -27,6 +27,8 @@ There are 2 main scenarios we protect against:
 
 2. **Markdown displayed on the page invokes an XSS.** To protect against client side preview XSS, Discourse uses [Google Caja](https://developers.google.com/caja/) in the preview window.
 
+3. [**CSP is on by default** for all Discourse installations](https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243) as of Discourse 2.2. It can be switched off in the site settings, but it is default on.
+
 On the server side we run a whitelist based sanitizer, implemented using the [Sanitize gem](https://github.com/rgrove/sanitize). See the [relevant Discourse code](https://github.com/discourse/discourse/blob/master/lib/pretty_text.rb).
 
 In addition, titles and all other places where non-admins can enter code are protected either using the Handlebars library or standard Rails XSS protection.