Include the primary domain in the Content-Security-Policy explicitly if there's no CDN
ClosedPublic
Actions

Authored by epriestley on Mar 2 2018, 3:03 PM.

Details

Reviewers: None
Maniphest Tasks: T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
Commits: rP42e5b8a04bec: Include the primary domain in the Content-Security-Policy explicitly if there's…

Summary

Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy.

When there's no CDN, include the primary domain in the CSP explicitly.

Test Plan

Loaded local.www.phacility.com, got resources.

Diff Detail

Repository

rP Phabricator

Branch

csp9

Lint

Lint Passed

Unit

Tests Passed

Build Status

Buildable 19728
Build 26721: Run Core Tests
Build 26720: arc lint + arc unit

Event Timeline

epriestley created this revision.Mar 2 2018, 3:03 PM

Harbormaster completed remote builds in B19728: Diff 45920.Mar 2 2018, 3:05 PM

epriestley requested review of this revision.Mar 2 2018, 3:05 PM

This revision was not accepted when it landed; it landed in state Needs Review.Mar 2 2018, 3:42 PM

Closed by commit rP42e5b8a04bec: Include the primary domain in the Content-Security-Policy explicitly if there's… (authored by epriestley). · Explain Why

This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Path

Size

src/

aphront/

response/

AphrontResponse.php

9 lines

Diff 45920

View Options

src/aphront/response/AphrontResponse.php

Include the primary domain in the Content-Security-Policy explicitly if there's no CDNClosedPublicActions