Include the primary domain in the Content-Security-Policy explicitly if there's…
42e5b8a04bec
Actions

Description

Include the primary domain in the Content-Security-Policy explicitly if there's no CDN

Summary:
Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy.

When there's no CDN, include the primary domain in the CSP explicitly.

Test Plan: Loaded local.www.phacility.com, got resources.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19170

Details

Provenance

epriestley	Authored on Mar 2 2018, 2:59 PM
epriestley	Pushed on Mar 2 2018, 3:42 PM

Differential Revision

D19170: Include the primary domain in the Content-Security-Policy explicitly if there's no CDN

Parents

rP2121f2dea697: Don't require project edit permission to create a project with members other…

Branches

Unknown

Tags

Unknown

Tasks

T4340: Implement Content-Security-Policy and Strict-Transport-Security headers

Build Status

Buildable 19729
Build 26722: Run Core Tests

Event Timeline

epriestley committed rP42e5b8a04bec: Include the primary domain in the Content-Security-Policy explicitly if there's… (authored by epriestley).Mar 2 2018, 3:42 PM

epriestley added a task: T4340: Implement Content-Security-Policy and Strict-Transport-Security headers.

Harbormaster completed building B19729: rP42e5b8a04bec: Include the primary domain in the Content-Security-Policy explicitly if there's….Mar 2 2018, 3:43 PM

epriestley mentioned this in 2018 Week 9 (Very Early March).Mar 2 2018, 6:52 PM

Changes (1)

Path

Size

src/

aphront/

response/

AphrontResponse.php

rP42e5b8a04bec

View Options

src/aphront/response/AphrontResponse.php