revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-11 15:21:03 +01:00
Code Issues Releases Wiki Activity

Add "object-src 'none'" to the Content-Security-Policy

Browse source 
Summary: See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan: Added a `<object ... />` tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19154
This commit is contained in:
epriestley 2018-02-28 14:15:02 -08:00
parent f114b2dd7d
commit a5efd7eedb
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/aphront/response/AphrontResponse.php
View file

@ -144,6 +144,9 @@ abstract class AphrontResponse extends Phobject {
$csp[] = "frame-ancestors 'none'"; $csp[] = "frame-ancestors 'none'";
} }
// Block relics of the old world: Flash, Java applets, and so on.
$csp[] = "object-src 'none'";
$csp = implode('; ', $csp); $csp = implode('; ', $csp);
return $csp; return $csp;