You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by gc...@apache.org on 2023/03/17 23:42:36 UTC

[allura] 01/02: [#8504] added 'report-sample' to report rules

This is an automated email from the ASF dual-hosted git repository.

gcruz pushed a commit to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git

commit afc0868b8f1d67e0b21b927b51eb989677b908a9
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Fri Mar 17 15:27:53 2023 -0500

    [#8504] added 'report-sample' to report rules
---
 Allura/allura/lib/custom_middleware.py | 8 ++++----
 Allura/development.ini                 | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 4d8e51c56..1ca8accc5 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -488,7 +488,7 @@ class ContentSecurityPolicyMiddleware:
             if asbool(self.config.get('csp.frame_sources_enforce', False)):
                 rules.add(f"frame-src {self.config['csp.frame_sources']}")
             else:
-                report_rules.add(f"frame-src {self.config['csp.frame_sources']}")
+                report_rules.add(f"frame-src {self.config['csp.frame_sources']} 'report-sample'")
 
         if self.config.get('csp.form_action_urls'):
             srcs = self.config['csp.form_action_urls']
@@ -497,7 +497,7 @@ class ContentSecurityPolicyMiddleware:
             if asbool(self.config.get('csp.form_actions_enforce', False)):
                 rules.add(f"form-action {srcs}")
             else:
-                report_rules.add(f"form-action {srcs}")
+                report_rules.add(f"form-action {srcs} 'report-sample'")
 
         if self.config.get('csp.script_src'):
             script_srcs = self.config['csp.script_src']
@@ -512,13 +512,13 @@ class ContentSecurityPolicyMiddleware:
             if asbool(self.config.get('csp.script_src_enforce', False)):
                 rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
             else:
-                report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
+                report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')} 'report-sample'")
 
         if self.config.get('csp.script_src_attr'):
             if asbool(self.config.get('csp.script_src_attr_enforce', False)):
                 rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
             else:
-                report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
+                report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')} 'report-sample'")
 
         rules.add("object-src 'none'")
         rules.add("frame-ancestors 'self'")
diff --git a/Allura/development.ini b/Allura/development.ini
index 3b41bdf65..b73c0173c 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -685,7 +685,7 @@ csp.script_src.extras = 'unsafe-inline' 'unsafe-eval'
 
 ; to enable enforce mode on script-src-attr
 ;csp.script_src_attr_enforce = true
-csp.script_src_attr = 'self'
+csp.script_src_attr = 'none'
 ;
 ; Settings for comment reactions
 ;