You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by gc...@apache.org on 2023/03/17 23:42:36 UTC
[allura] 01/02: [#8504] added 'report-sample' to report rules
This is an automated email from the ASF dual-hosted git repository.
gcruz pushed a commit to branch gc/8504
in repository https://gitbox.apache.org/repos/asf/allura.git
commit afc0868b8f1d67e0b21b927b51eb989677b908a9
Author: Guillermo Cruz <gu...@slashdotmedia.com>
AuthorDate: Fri Mar 17 15:27:53 2023 -0500
[#8504] added 'report-sample' to report rules
---
Allura/allura/lib/custom_middleware.py | 8 ++++----
Allura/development.ini | 2 +-
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py
index 4d8e51c56..1ca8accc5 100644
--- a/Allura/allura/lib/custom_middleware.py
+++ b/Allura/allura/lib/custom_middleware.py
@@ -488,7 +488,7 @@ class ContentSecurityPolicyMiddleware:
if asbool(self.config.get('csp.frame_sources_enforce', False)):
rules.add(f"frame-src {self.config['csp.frame_sources']}")
else:
- report_rules.add(f"frame-src {self.config['csp.frame_sources']}")
+ report_rules.add(f"frame-src {self.config['csp.frame_sources']} 'report-sample'")
if self.config.get('csp.form_action_urls'):
srcs = self.config['csp.form_action_urls']
@@ -497,7 +497,7 @@ class ContentSecurityPolicyMiddleware:
if asbool(self.config.get('csp.form_actions_enforce', False)):
rules.add(f"form-action {srcs}")
else:
- report_rules.add(f"form-action {srcs}")
+ report_rules.add(f"form-action {srcs} 'report-sample'")
if self.config.get('csp.script_src'):
script_srcs = self.config['csp.script_src']
@@ -512,13 +512,13 @@ class ContentSecurityPolicyMiddleware:
if asbool(self.config.get('csp.script_src_enforce', False)):
rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
else:
- report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}")
+ report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')} 'report-sample'")
if self.config.get('csp.script_src_attr'):
if asbool(self.config.get('csp.script_src_attr_enforce', False)):
rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
else:
- report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}")
+ report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')} 'report-sample'")
rules.add("object-src 'none'")
rules.add("frame-ancestors 'self'")
diff --git a/Allura/development.ini b/Allura/development.ini
index 3b41bdf65..b73c0173c 100644
--- a/Allura/development.ini
+++ b/Allura/development.ini
@@ -685,7 +685,7 @@ csp.script_src.extras = 'unsafe-inline' 'unsafe-eval'
; to enable enforce mode on script-src-attr
;csp.script_src_attr_enforce = true
-csp.script_src_attr = 'self'
+csp.script_src_attr = 'none'
;
; Settings for comment reactions
;