Page MenuHomePhabricator

Add "object-src 'none'" to the Content-Security-Policy
ClosedPublic

Authored by epriestley on Feb 28 2018, 10:17 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Nov 26, 8:45 AM
Unknown Object (File)
Thu, Nov 14, 4:04 AM
Unknown Object (File)
Sat, Nov 9, 2:59 PM
Unknown Object (File)
Oct 14 2024, 1:29 PM
Unknown Object (File)
Oct 13 2024, 9:09 PM
Unknown Object (File)
Oct 12 2024, 12:16 PM
Unknown Object (File)
Oct 12 2024, 9:48 AM
Unknown Object (File)
Oct 11 2024, 4:47 PM
Subscribers
None

Details

Summary

See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan

Added a <object ... /> tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Diff Detail

Repository
rP Phabricator
Branch
csp2
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 19696
Build 26674: Run Core Tests
Build 26673: arc lint + arc unit

Event Timeline

This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 1:19 AM
This revision was automatically updated to reflect the committed changes.