1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 16:52:41 +01:00

Block use of "<base />" in the Content Security Policy

Summary: Ref T4340. We don't use "<base />" so we can safely block it.

Test Plan: Injected "<base />" into a page, saw an error in the console showing that the browser had blocked it.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19158
This commit is contained in:
epriestley 2018-02-28 18:51:37 -08:00
parent a2fdf14275
commit d5befb1a0e

View file

@ -154,6 +154,9 @@ abstract class AphrontResponse extends Phobject {
// download URI instead of submitting a form to it. // download URI instead of submitting a form to it.
$csp[] = "form-action 'self'"; $csp[] = "form-action 'self'";
// Block use of "<base>" to change the origin of relative URIs on the page.
$csp[] = "base-uri 'none'";
$csp = implode('; ', $csp); $csp = implode('; ', $csp);
return $csp; return $csp;