revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-22 23:02:42 +01:00
Code Issues Releases Wiki Activity

Block use of "<base />" in the Content Security Policy

Browse source 
Summary: Ref T4340. We don't use "<base />" so we can safely block it.

Test Plan: Injected "<base />" into a page, saw an error in the console showing that the browser had blocked it.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19158
This commit is contained in:
epriestley 2018-02-28 18:51:37 -08:00
parent a2fdf14275
commit d5befb1a0e
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/aphront/response/AphrontResponse.php
View file

@ -154,6 +154,9 @@ abstract class AphrontResponse extends Phobject {
// download URI instead of submitting a form to it.
$csp[] = "form-action 'self'";
// Block use of "<base>" to change the origin of relative URIs on the page.
$csp[] = "base-uri 'none'";
$csp = implode('; ', $csp);
return $csp;