1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-22 14:52:41 +01:00

Fix Content-Security-Policy headers on "Email Login" page

Summary:
In D20100, I changed this page from returning a `newPage()` with a dialog as its content to returning a more modern `newDialog()`.

However, the magic to add stuff to the CSP header is actually only on the `newPage()` pathway today, so this accidentally dropped the extra "Content-Security-Policy" rule for Google.

Lift the magic up one level so both Dialog and Page responses hit it.

Test Plan:
  - Configured Recaptcha.
  - Between D20100 and this patch: got a CSP error on the Email Login page.
  - After this patch: clicked all the pictures of cars / store fronts.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D20163
This commit is contained in:
epriestley 2019-02-13 15:25:20 -08:00
parent 889eca1af9
commit c5772f51de
2 changed files with 11 additions and 7 deletions

View file

@ -111,6 +111,17 @@ abstract class AphrontHTTPSink extends Phobject {
// HTTP headers. // HTTP headers.
$data = $response->getContentIterator(); $data = $response->getContentIterator();
// This isn't an exceptionally clean separation of concerns, but we need
// to add CSP headers for all response types (including both web pages
// and dialogs) and can't determine the correct CSP until after we render
// the page (because page elements like Recaptcha may add CSP rules).
$static = CelerityAPI::getStaticResourceResponse();
foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
foreach ($uris as $uri) {
$response->addContentSecurityPolicyURI($kind, $uri);
}
}
$all_headers = array_merge( $all_headers = array_merge(
$response->getHeaders(), $response->getHeaders(),
$response->getCacheHeaders()); $response->getCacheHeaders());

View file

@ -892,13 +892,6 @@ final class PhabricatorStandardPageView extends PhabricatorBarePageView
$response = id(new AphrontWebpageResponse()) $response = id(new AphrontWebpageResponse())
->setContent($content) ->setContent($content)
->setFrameable($this->getFrameable()); ->setFrameable($this->getFrameable());
$static = CelerityAPI::getStaticResourceResponse();
foreach ($static->getContentSecurityPolicyURIMap() as $kind => $uris) {
foreach ($uris as $uri) {
$response->addContentSecurityPolicyURI($kind, $uri);
}
}
} }
return $response; return $response;