FEATURE: allow plugins and themes to extend the default CSP (#6704)

* FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now
2025-02-25 18:55:32 -06:00 · 2018-11-30 09:51:45 -05:00
parent 7dec963f2e
commit 488fba3c5f
13 changed files with 384 additions and 114 deletions
--- a/config/application.rb
+++ b/config/application.rb
@@ -204,7 +204,7 @@ module Discourse
      config.middleware.insert_after Rack::MethodOverride, Middleware::EnforceHostname
    end

-    require 'content_security_policy'
+    require 'content_security_policy/middleware'
    config.middleware.swap ActionDispatch::ContentSecurityPolicy::Middleware, ContentSecurityPolicy::Middleware

    require 'middleware/discourse_public_exceptions'