mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-26 08:42:41 +01:00
Include the primary domain in the Content-Security-Policy explicitly if there's no CDN
Summary: Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy. When there's no CDN, include the primary domain in the CSP explicitly. Test Plan: Loaded `local.www.phacility.com`, got resources. Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D19170
This commit is contained in:
parent
2121f2dea6
commit
42e5b8a04b
1 changed files with 8 additions and 1 deletions
|
@ -109,7 +109,14 @@ abstract class AphrontResponse extends Phobject {
|
|||
if ($cdn) {
|
||||
$default = $this->newContentSecurityPolicySource($cdn);
|
||||
} else {
|
||||
$default = "'self'";
|
||||
// If an alternate file domain is not configured and the user is viewing
|
||||
// a Phame blog on a custom domain or some other custom site, we'll still
|
||||
// serve resources from the main site. Include the main site explicitly.
|
||||
|
||||
$base_uri = PhabricatorEnv::getURI('/');
|
||||
$base_uri = $this->newContentSecurityPolicySource($base_uri);
|
||||
|
||||
$default = "'self' {$base_uri}";
|
||||
}
|
||||
|
||||
$csp[] = "default-src {$default}";
|
||||
|
|
Loading…
Reference in a new issue