revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-22 06:42:42 +01:00
Code Issues Releases Wiki Activity

Fix Content-Security-Policy headers on "Email Login" page

Browse source 
Summary:
In D20100, I changed this page from returning a `newPage()` with a dialog as its content to returning a more modern `newDialog()`.

However, the magic to add stuff to the CSP header is actually only on the `newPage()` pathway today, so this accidentally dropped the extra "Content-Security-Policy" rule for Google.

Lift the magic up one level so both Dialog and Page responses hit it.

Test Plan:
  - Configured Recaptcha.
  - Between D20100 and this patch: got a CSP error on the Email Login page.
  - After this patch: clicked all the pictures of cars / store fronts.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D20163
This commit is contained in:
epriestley 2019-02-13 15:25:20 -08:00
parent 889eca1af9
commit c5772f51de
2 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/aphront/sink/AphrontHTTPSink.php
View file

@ -111,6 +111,17 @@ abstract class AphrontHTTPSink extends Phobject {
// HTTP headers.
$data = $response->getContentIterator();
// This isn't an exceptionally clean separation of concerns, but we need
// to add CSP headers for all response types (including both web pages
// and dialogs) and can't determine the correct CSP until after we render
// the page (because page elements like Recaptcha may add CSP rules).
$static = CelerityAPI::getStaticResourceResponse();
foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
foreach ($uris as $uri) {
$response->addContentSecurityPolicyURI($kind, $uri);
}
}
$all_headers = array_merge(
$response->getHeaders(),
$response->getCacheHeaders());

7
src/view/page/PhabricatorStandardPageView.php
View file

@ -892,13 +892,6 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView
$response = id(new AphrontWebpageResponse())
->setContent($content)
->setFrameable($this->getFrameable());
$static = CelerityAPI::getStaticResourceResponse();
foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
foreach ($uris as $uri) {
$response->addContentSecurityPolicyURI($kind, $uri);
}
}
}
return $response;