IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Add upgrade-insecure-requests to CSP when force_https is enabled (#13348)

Browse Source 
If force_https is enabled all resource (including markdown preview and so on) will be accessed using HTTPS

If for any reason you attempt to link to non HTTPS reachable content content may appear broken
This commit is contained in:
Penar Musaraj 2021-06-09 20:53:10 -04:00 committed by GitHub
parent 2a4a20ad67
commit 6f76479054
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/content_security_policy/default.rb
View File

@ -8,6 +8,7 @@ class ContentSecurityPolicy
def initialize(base_url:)
@base_url = base_url
@directives = {}.tap do |directives|
directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
directives[:base_uri] = [:none]
directives[:object_src] = [:none]
directives[:script_src] = script_src

12
spec/lib/content_security_policy_spec.rb
View File

@ -32,6 +32,18 @@ describe ContentSecurityPolicy do
end
end
describe 'upgrade-insecure-requests' do
it 'is not included when force_https is off' do
SiteSetting.force_https = false
expect(parse(policy)['upgrade-insecure-requests']).to eq(nil)
end
it 'is included when force_https is on' do
SiteSetting.force_https = true
expect(parse(policy)['upgrade-insecure-requests']).to eq([])
end
end
describe 'worker-src' do
it 'has expected values' do
worker_srcs = parse(policy)['worker-src']