1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-30 02:32:42 +01:00

Include the primary domain in the Content-Security-Policy explicitly if there's no CDN

Summary:
Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy.

When there's no CDN, include the primary domain in the CSP explicitly.

Test Plan: Loaded `local.www.phacility.com`, got resources.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19170
This commit is contained in:
epriestley 2018-03-02 06:59:55 -08:00
parent 2121f2dea6
commit 42e5b8a04b

View file

@ -109,7 +109,14 @@ abstract class AphrontResponse extends Phobject {
if ($cdn) {
$default = $this->newContentSecurityPolicySource($cdn);
} else {
$default = "'self'";
// If an alternate file domain is not configured and the user is viewing
// a Phame blog on a custom domain or some other custom site, we'll still
// serve resources from the main site. Include the main site explicitly.
$base_uri = PhabricatorEnv::getURI('/');
$base_uri = $this->newContentSecurityPolicySource($base_uri);
$default = "'self' {$base_uri}";
}
$csp[] = "default-src {$default}";