Page MenuHomePhabricator
Differential D19170

Include the primary domain in the Content-Security-Policy explicitly if there's no CDN
ClosedPublic
Actions

Authored by epriestley on Mar 2 2018, 3:03 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 25, 12:27 AM
Unknown Object (File)
Sat, Jan 25, 12:27 AM
Unknown Object (File)
Sat, Jan 25, 12:27 AM
Unknown Object (File)
Sat, Jan 25, 12:27 AM
Unknown Object (File)
Wed, Jan 22, 10:54 AM
Unknown Object (File)
Tue, Jan 21, 9:22 AM
Unknown Object (File)
Sat, Jan 18, 6:55 AM
Unknown Object (File)
Fri, Jan 3, 2:08 AM
View All Files
Subscribers
None

Details

Reviewers
None
Maniphest Tasks
T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
Commits
rP42e5b8a04bec: Include the primary domain in the Content-Security-Policy explicitly if there's…
Summary

Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy.

When there's no CDN, include the primary domain in the CSP explicitly.

Test Plan

Loaded local.www.phacility.com, got resources.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley created this revision.Mar 2 2018, 3:03 PM
Harbormaster completed remote builds in B19728: Diff 45920.Mar 2 2018, 3:05 PM
epriestley requested review of this revision.Mar 2 2018, 3:05 PM
This revision was not accepted when it landed; it landed in state Needs Review.Mar 2 2018, 3:42 PM
Closed by commit rP42e5b8a04bec: Include the primary domain in the Content-Security-Policy explicitly if there's… (authored by epriestley). · Explain Why
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
aphront/
response/
9 lines

Diff 45921

View Options

src/aphront/response/AphrontResponse.php

Loading...
Phabricator · Built by Phacility