You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@couchdb.apache.org by wo...@apache.org on 2020/08/10 17:47:18 UTC

[couchdb] branch 3.x updated: Fix/csp 3.x (#3069)

This is an automated email from the ASF dual-hosted git repository.

wohali pushed a commit to branch 3.x
in repository https://gitbox.apache.org/repos/asf/couchdb.git


The following commit(s) were added to refs/heads/3.x by this push:
     new 625698d  Fix/csp 3.x (#3069)
625698d is described below

commit 625698d86fa366af490c27d6641cad313d65b97a
Author: Joan Touzet <wo...@users.noreply.github.com>
AuthorDate: Mon Aug 10 17:47:06 2020 +0000

    Fix/csp 3.x (#3069)
    
    * fix: send CSP header to make Fauxotn work fully
    
    Co-authored-by: Robert Newson <rn...@apache.org>
    
    * Remove accidental chttpd_auth.erl.orig commit
---
 src/chttpd/src/chttpd_misc.erl             | 2 +-
 src/chttpd/test/eunit/chttpd_csp_tests.erl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl
index ffb5295..830fea3 100644
--- a/src/chttpd/src/chttpd_misc.erl
+++ b/src/chttpd/src/chttpd_misc.erl
@@ -105,7 +105,7 @@ handle_utils_dir_req(Req, _) ->
     send_method_not_allowed(Req, "GET,HEAD").
 
 maybe_add_csp_headers(Headers, "true") ->
-    DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+    DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
                     "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
     Value = config:get("csp", "header_value", DefaultValues),
     [{"Content-Security-Policy", Value} | Headers];
diff --git a/src/chttpd/test/eunit/chttpd_csp_tests.erl b/src/chttpd/test/eunit/chttpd_csp_tests.erl
index e864362..b80e3fe 100644
--- a/src/chttpd/test/eunit/chttpd_csp_tests.erl
+++ b/src/chttpd/test/eunit/chttpd_csp_tests.erl
@@ -56,7 +56,7 @@ should_not_return_any_csp_headers_when_disabled(Url) ->
 
 should_apply_default_policy(Url) ->
     ?_assertEqual(
-        "default-src 'self'; img-src 'self' data:; font-src 'self'; "
+        "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; "
         "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
         begin
             {ok, _, Headers, _} = test_request:get(Url),