FEATURE: Enable strict-dynamic Content-Security-Policy by default (#26051)

Ref https://meta.discourse.org/t/298172 and https://meta.discourse.org/t/295603
2025-02-25 18:55:32 -06:00 · 2024-03-07 15:20:31 +00:00
parent ac0808a320
commit 92d357f91a
6 changed files with 43 additions and 20 deletions
--- a/spec/requests/application_controller_spec.rb
+++ b/spec/requests/application_controller_spec.rb
@@ -647,14 +647,14 @@ RSpec.describe ApplicationController do
      get "/"
      script_src = parse(response.headers["Content-Security-Policy"])["script-src"]

-      expect(script_src).to_not include("example.com")
+      expect(script_src).to_not include("'unsafe-inline'")

-      SiteSetting.content_security_policy_script_src = "example.com"
+      SiteSetting.content_security_policy_script_src = "'unsafe-inline'"

      get "/"
      script_src = parse(response.headers["Content-Security-Policy"])["script-src"]

-      expect(script_src).to include("example.com")
+      expect(script_src).to include("'unsafe-inline'")
    end

    it "does not set CSP when responding to non-HTML" do