mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 14:00:56 +01:00
Add "object-src 'none'" to the Content-Security-Policy
Summary: See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header. Test Plan: Added a `<object ... />` tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console. Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D19154
This commit is contained in:
parent
f114b2dd7d
commit
a5efd7eedb
1 changed files with 3 additions and 0 deletions
|
@ -144,6 +144,9 @@ abstract class AphrontResponse extends Phobject {
|
|||
$csp[] = "frame-ancestors 'none'";
|
||||
}
|
||||
|
||||
// Block relics of the old world: Flash, Java applets, and so on.
|
||||
$csp[] = "object-src 'none'";
|
||||
|
||||
$csp = implode('; ', $csp);
|
||||
|
||||
return $csp;
|
||||
|
|
Loading…
Reference in a new issue