Page MenuHomePhabricator

Add "object-src 'none'" to the Content-Security-Policy
ClosedPublic

Authored by epriestley on Feb 28 2018, 10:17 PM.
Tags
None
Referenced Files
F15560644: D19154.id45889.diff
Tue, Apr 29, 3:46 PM
F15559360: D19154.id45885.diff
Tue, Apr 29, 8:22 AM
F15549706: D19154.diff
Sun, Apr 27, 7:28 AM
F15539428: D19154.diff
Fri, Apr 25, 1:33 AM
F15525822: D19154.id45889.diff
Mon, Apr 21, 5:07 PM
F15504536: D19154.id45885.diff
Mon, Apr 14, 6:39 PM
F15458256: D19154.id45885.diff
Mar 30 2025, 10:15 PM
F15458255: D19154.id45889.diff
Mar 30 2025, 10:15 PM
Subscribers
None

Details

Summary

See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan

Added a <object ... /> tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 1:19 AM
This revision was automatically updated to reflect the committed changes.