HomePhabricator

Allow only CDN routes when using security.alternate-file-domain

Description

Allow only CDN routes when using security.alternate-file-domain

Summary:
Instead of allowing all routes based on security.alternate-file-domain, now, when security.alternate-file-domain is set, and the request matches this domain, requests are validated against an explicit list. Allowed routes:

  • /res/
  • /file/data/
  • /file/xform/
  • /phame/r/

This will be redone by T5702 to be less of a hack.

Test Plan:

  • browse around (incl. Phame live) to make sure there is no regression from this when security.alternate-file-domain is not used.
  • check that celerity resources and files (incl. previews) are served with security.alternate-file-domain set.
  • check that phame live blog is serving its css correctly with security.alternate-file-domain set.
  • check that requests outside of the whitelist generate an exception for security.alternate-file-domain

Reviewers: Blessed Reviewers, epriestley

Reviewed By: Blessed Reviewers, epriestley

Subscribers: epriestley, Korvin

Differential Revision: https://secure.phabricator.com/D10048

Details

Committed
epriestleyJul 25 2014, 1:40 PM
Pushed
epriestleyJul 25 2014, 1:40 PM
Reviewer
Blessed Reviewers
Differential Revision
D10048: Allow only CDN routes when using security.alternate-file-domain
Parents
rP51b5bf1e673a: Fix unmigrated load() call in Audit inlines
Branches
Unknown
Tags
Unknown

Event Timeline