-
Notifications
You must be signed in to change notification settings - Fork 913
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop superfluous CSP (+report object-src) #14897
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #14897 +/- ##
==========================================
- Coverage 77.34% 77.33% -0.01%
==========================================
Files 161 161
Lines 8348 8349 +1
==========================================
Hits 6457 6457
- Misses 1891 1892 +1 ☔ View full report in Codecov by Sentry. |
@@ -269,6 +265,7 @@ | |||
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["report-uri"] = csp_report_uri | |||
# CSP directive updates we're testing that we hope to move to the enforced policy. | |||
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["frame-ancestors"] = [csp.constants.NONE] | |||
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm also a little tempted to test-drive restricting default-src to just self? (Instead of all the default wildcards)
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE] | |
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["object-src"] = [csp.constants.NONE] | |
CONTENT_SECURITY_POLICY_REPORT_ONLY["DIRECTIVES"]["default-src"] = [csp.constants.SELF] |
One-line summary
Removes hosts already covered by defaults/wildcards appended to every policy.
Significant changes and points to review
(This will be redone anyways for #11943 when every policy gets its own subset of hosts, instead of appending the default wildcards everywhere…)
Also adds
object-src: none
to report-only for helping out surface any hypothetical use.Issue / Bugzilla link
#14896 (+#11943)
Testing
curl -I http://localhost:8000/de/