IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Add CSP frame-ancestors support (#12404)

Browse Source
This commit is contained in:
Rafael dos Santos Silva
2021-03-22 16:00:25 -03:00
committed by GitHub
parent 706ea6692d
commit fb4486d5f1
6 changed files with 70 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
lib/content_security_policy/default.rb
View File

@@ -13,6 +13,7 @@ class ContentSecurityPolicy
directives[:script_src] = script_src
directives[:worker_src] = worker_src
directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports
directives[:frame_ancestors] = frame_ancestors if restrict_embed?
end
end
@@ -73,5 +74,17 @@ class ContentSecurityPolicy
def report_uri
"#{base_url}/csp_reports"
end
def frame_ancestors
[
"'self'",
*EmbeddableHost.pluck(:host).map { |host| "https://#{host}" }
]
end
def restrict_embed?
SiteSetting.content_security_policy_frame_ancestors &&
!SiteSetting.embed_any_origin
end
end
end