IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Do not include URL query in auto-generated CSP header (#11673)

Browse Source
This commit is contained in:
David Taylor
2021-01-09 13:52:53 +00:00
committed by GitHub
parent 9da9b2e1cc
commit b0088361a4
2 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/content_security_policy/extension.rb
View File

@@ -70,6 +70,8 @@ class ContentSecurityPolicy
next if uri.host.nil? # Ignore same-domain scripts (theme-javascripts)
next if uri.path.nil? # Ignore raw hosts
uri.query = nil # CSP should not include query part of url
uri_string = uri.to_s.sub(/^\/\//, '') # Protocol-less CSP should not have // at beginning of URL
auto_script_src_extension[:script_src] << uri_string