You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wo...@apache.org on 2020/08/10 17:47:18 UTC
[couchdb] branch 3.x updated: Fix/csp 3.x (#3069)
This is an automated email from the ASF dual-hosted git repository.
wohali pushed a commit to branch 3.x
in repository https://gitbox.apache.org/repos/asf/couchdb.git
The following commit(s) were added to refs/heads/3.x by this push:
new 625698d Fix/csp 3.x (#3069)
625698d is described below
commit 625698d86fa366af490c27d6641cad313d65b97a
Author: Joan Touzet <wo...@users.noreply.github.com>
AuthorDate: Mon Aug 10 17:47:06 2020 +0000
Fix/csp 3.x (#3069)
* fix: send CSP header to make Fauxotn work fully
Co-authored-by: Robert Newson <rn...@apache.org>
* Remove accidental chttpd_auth.erl.orig commit
---
src/chttpd/src/chttpd_misc.erl | 2 +-
src/chttpd/test/eunit/chttpd_csp_tests.erl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl
index ffb5295..830fea3 100644
--- a/src/chttpd/src/chttpd_misc.erl
+++ b/src/chttpd/src/chttpd_misc.erl
@@ -105,7 +105,7 @@ handle_utils_dir_req(Req, _) ->
send_method_not_allowed(Req, "GET,HEAD").
maybe_add_csp_headers(Headers, "true") ->
- DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+ DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
"script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
Value = config:get("csp", "header_value", DefaultValues),
[{"Content-Security-Policy", Value} | Headers];
diff --git a/src/chttpd/test/eunit/chttpd_csp_tests.erl b/src/chttpd/test/eunit/chttpd_csp_tests.erl
index e864362..b80e3fe 100644
--- a/src/chttpd/test/eunit/chttpd_csp_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_csp_tests.erl
@@ -56,7 +56,7 @@ should_not_return_any_csp_headers_when_disabled(Url) ->
should_apply_default_policy(Url) ->
?_assertEqual(
- "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+ "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
"script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
begin
{ok, _, Headers, _} = test_request:get(Url),