mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-26 16:52:41 +01:00
Block use of "<base />" in the Content Security Policy
Summary: Ref T4340. We don't use "<base />" so we can safely block it. Test Plan: Injected "<base />" into a page, saw an error in the console showing that the browser had blocked it. Maniphest Tasks: T4340 Differential Revision: https://secure.phabricator.com/D19158
This commit is contained in:
parent
a2fdf14275
commit
d5befb1a0e
1 changed files with 3 additions and 0 deletions
|
@ -154,6 +154,9 @@ abstract class AphrontResponse extends Phobject {
|
||||||
// download URI instead of submitting a form to it.
|
// download URI instead of submitting a form to it.
|
||||||
$csp[] = "form-action 'self'";
|
$csp[] = "form-action 'self'";
|
||||||
|
|
||||||
|
// Block use of "<base>" to change the origin of relative URIs on the page.
|
||||||
|
$csp[] = "base-uri 'none'";
|
||||||
|
|
||||||
$csp = implode('; ', $csp);
|
$csp = implode('; ', $csp);
|
||||||
|
|
||||||
return $csp;
|
return $csp;
|
||||||
|
|
Loading…
Reference in a new issue