IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

minor changes to default script-src (#6770)

Browse Source 
- add report-sample to force require a sample of the violating code
- do not whitelist GA/GTM's entire domain
This commit is contained in:
Kyle Zhao
2018-12-14 08:17:31 -05:00
committed by GitHub
parent 03014b0d05
commit b0c2e9bb05
2 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/content_security_policy/default.rb
View File

@@ -44,13 +44,14 @@ class ContentSecurityPolicy
def script_src
[
:unsafe_eval,
:report_sample,
"#{base_url}/logs/",
"#{base_url}/sidekiq/",
"#{base_url}/mini-profiler-resources/",
*script_assets
].tap do |sources|
sources << 'https://www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
sources << 'https://www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
sources << 'https://www.google-analytics.com/analytics.js' if SiteSetting.ga_universal_tracking_code.present?
sources << 'https://www.googletagmanager.com/gtm.js' if SiteSetting.gtm_container_id.present?
end
end