From 8d856af7261ceb2a8f0dc77cb962d6e78e55f9be Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Wed, 13 Feb 2019 15:25:20 -0800
Subject: [PATCH] (stable) Fix Content-Security-Policy headers on "Email Login"
 page

Summary:
In D20100, I changed this page from returning a `newPage()` with a dialog as its content to returning a more modern `newDialog()`.

However, the magic to add stuff to the CSP header is actually only on the `newPage()` pathway today, so this accidentally dropped the extra "Content-Security-Policy" rule for Google.

Lift the magic up one level so both Dialog and Page responses hit it.

Test Plan:
  - Configured Recaptcha.
  - Between D20100 and this patch: got a CSP error on the Email Login page.
  - After this patch: clicked all the pictures of cars / store fronts.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D20163
---
 src/aphront/sink/AphrontHTTPSink.php          | 11 +++++++++++
 src/view/page/PhabricatorStandardPageView.php |  7 -------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/aphront/sink/AphrontHTTPSink.php b/src/aphront/sink/AphrontHTTPSink.php
index 51c54df520..7c9cc3fc0f 100644
--- a/src/aphront/sink/AphrontHTTPSink.php
+++ b/src/aphront/sink/AphrontHTTPSink.php
@@ -103,6 +103,17 @@ abstract class AphrontHTTPSink extends Phobject {
     // HTTP headers.
     $data = $response->getContentIterator();
 
+    // This isn't an exceptionally clean separation of concerns, but we need
+    // to add CSP headers for all response types (including both web pages
+    // and dialogs) and can't determine the correct CSP until after we render
+    // the page (because page elements like Recaptcha may add CSP rules).
+    $static = CelerityAPI::getStaticResourceResponse();
+    foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
+      foreach ($uris as $uri) {
+        $response->addContentSecurityPolicyURI($kind, $uri);
+      }
+    }
+
     $all_headers = array_merge(
       $response->getHeaders(),
       $response->getCacheHeaders());
diff --git a/src/view/page/PhabricatorStandardPageView.php b/src/view/page/PhabricatorStandardPageView.php
index 99143add5f..cfb1b4abbe 100644
--- a/src/view/page/PhabricatorStandardPageView.php
+++ b/src/view/page/PhabricatorStandardPageView.php
@@ -892,13 +892,6 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView
       $response = id(new AphrontWebpageResponse())
         ->setContent($content)
         ->setFrameable($this->getFrameable());
-
-      $static = CelerityAPI::getStaticResourceResponse();
-      foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
-        foreach ($uris as $uri) {
-          $response->addContentSecurityPolicyURI($kind, $uri);
-        }
-      }
     }
 
     return $response;