1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00

Add "object-src 'none'" to the Content-Security-Policy

Summary: See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan: Added a `<object ... />` tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19154
This commit is contained in:
epriestley 2018-02-28 14:15:02 -08:00
parent f114b2dd7d
commit a5efd7eedb

View file

@ -144,6 +144,9 @@ abstract class AphrontResponse extends Phobject {
$csp[] = "frame-ancestors 'none'";
}
// Block relics of the old world: Flash, Java applets, and so on.
$csp[] = "object-src 'none'";
$csp = implode('; ', $csp);
return $csp;