Page MenuHomePhabricator
Differential D19154

Add "object-src 'none'" to the Content-Security-Policy
ClosedPublic
Actions

Authored by epriestley on Feb 28 2018, 10:17 PM.
Tags
None
Referenced Files
F15375121: D19154.id45885.diff
Wed, Mar 12, 9:44 PM
F15337010: D19154.id45889.diff
Sun, Mar 9, 3:38 AM
F15337009: D19154.id45885.diff
Sun, Mar 9, 3:38 AM
F15337008: D19154.id.diff
Sun, Mar 9, 3:38 AM
F15332894: D19154.diff
Fri, Mar 7, 9:31 PM
Unknown Object (File)
Wed, Feb 26, 5:38 AM
Unknown Object (File)
Feb 9 2025, 5:34 AM
Unknown Object (File)
Feb 9 2025, 5:34 AM
View All Files
Subscribers
None

Details

Reviewers
None
Maniphest Tasks
T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
Commits
rPa5efd7eedb3c: Add "object-src 'none'" to the Content-Security-Policy
Summary

See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan

Added a <object ... /> tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Diff Detail

Repository
rP Phabricator
Branch
csp2
Lint
Lint Passed
Unit
Tests Passed
Build Status
Buildable 19696
Build 26674: Run Core Tests
Build 26673: arc lint + arc unit

Event Timeline

epriestley created this revision.Feb 28 2018, 10:17 PM
Harbormaster completed remote builds in B19696: Diff 45885.Feb 28 2018, 10:18 PM
epriestley requested review of this revision.Feb 28 2018, 10:18 PM
epriestley added a child revision: D19155: Remove defunct "download" route in Files pointing to nonexistent controller.Feb 28 2018, 11:21 PM
This revision was not accepted when it landed; it landed in state Needs Review.Mar 1 2018, 1:19 AM
Closed by commit rPa5efd7eedb3c: Add "object-src 'none'" to the Content-Security-Policy (authored by epriestley). · Explain Why
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
src/
aphront/
response/
3 lines

Diff 45885

View Options

src/aphront/response/AphrontResponse.php

Loading...
Phabricator · Built by Phacility