Add "object-src 'none'" to the Content-Security-Policy
ClosedPublic
Actions

Authored by epriestley on Feb 28 2018, 10:17 PM.

Details

Reviewers: None
Maniphest Tasks: T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
Commits: rPa5efd7eedb3c: Add "object-src 'none'" to the Content-Security-Policy

Summary

See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan

Added a <object ... /> tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Repository

rP Phabricator

Branch

csp2

Lint

Lint Passed

Unit

Tests Passed

Build Status

epriestley requested review of this revision.Feb 28 2018, 10:18 PM

This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 1:19 AM

This revision was automatically updated to reflect the committed changes.

Path

Size

src/

aphront/

response/

3 lines