Commit Graph

35 Commits (13fb54920b1c1e8dd59798dd9fc3466c5a446898)

Author SHA1 Message Date
Matt Jankowski c523a9601b
Rename local webpack* var in development env CSP config (#28766) 2024-01-17 09:22:16 +00:00
Claire 85662a5a57
Change `img-src` and `media-src` CSP directives to not include `https:` (#28025) 2023-11-30 13:47:01 +00:00
Matt Jankowski c875dfc90b
Fix `Lint/UnusedBlockArgument` cop (#27777) 2023-11-09 09:43:26 +00:00
Matt Jankowski 33cc3ae8fa
Fix `Style/StabbyLambdaParentheses` cop (#27771) 2023-11-08 12:01:18 +00:00
Matt Jankowski eae5c7334a
Extract class from CSP configuration/initialization (#26905) 2023-10-27 16:20:40 +00:00
Matt Jankowski 9a3d047f3e
Run `bin/rails app:update` with Rails 7.1 (#27522) 2023-10-25 13:56:09 +00:00
Claire c3e0eb3699
Change Content-Security-Policy to be tighter on media paths (#26889) 2023-10-23 14:27:07 +02:00
Nick Schonning 85db392464
Autofix Rubocop cops for config/ (#24145) 2023-10-03 15:24:12 +02:00
Claire a04ae16201
Fix CSP when using `ONE_CLICK_SSO_LOGIN` (#26901) 2023-09-13 19:54:04 +02:00
CSDUMMI 9a70cac9de
Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857) 2023-09-12 13:04:51 +02:00
Christian Schmidt 286a21afdc
Support webpacker live-reloading on Docker (#26419) 2023-08-29 10:17:57 +02:00
Claire e5f1000ad1
Fix CSP headers being unintendedly wide (#26105) 2023-07-21 13:34:15 +02:00
Misty De Méo b848ba3867
Paperclip: add support for Azure blob storage (#23607) 2023-07-19 09:02:49 +02:00
Nick Schonning 1d557305d2
Enable Rubocop Style/FrozenStringLiteralComment (#23793) 2023-07-12 09:47:08 +02:00
Claire e428670e61
Fix CSP headers when S3_ALIAS_HOST includes a path component (#25273) 2023-06-05 17:35:05 +02:00
Matt Jankowski 5a2aa06a51
Fix Rails/Present cop (#24688) 2023-04-30 06:47:50 +02:00
Nick Schonning 500d6f93be
Autofix Rubocop Style/IdenticalConditionalBranches (#24322) 2023-03-31 09:33:52 +02:00
Claire 7955d4b959
Add form-action CSP directive (#20781) 2022-11-17 10:55:03 +01:00
Eugen Rochko 43b0b2f3f4
Fix wrong directive `unsafe-wasm-eval` to `wasm-unsafe-eval` (#20729) 2022-11-15 03:39:06 +01:00
prplecake b46b7c3d5e
Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP (#20606)
* Add "unsafe-eval" to script-src CSP

* Use 'unsafe-wasm-eval' instead of 'unsafe-eval'
2022-11-15 03:22:38 +01:00
prplecake aafbc82d88
Add "unsafe-eval" to script-src CSP (#18817) 2022-10-26 19:23:16 +02:00
Yamagishi Kazutoshi eb9a7e3626
Fix LetterOpennerWeb CSP (#17770) 2022-03-14 19:20:40 +01:00
Eugen Rochko 3f2533ca8e
Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
Claire cbd0ee1d07
Update Mastodon to Rails 6.1 (#15910)
* Update devise-two-factor to unreleased fork for Rails 6 support

Update tests to match new `rotp` version.

* Update nsa gem to unreleased fork for Rails 6 support

* Update rails to 6.1.3 and rails-i18n to 6.0

* Update to unreleased fork of pluck_each for Ruby 6 support

* Run "rails app:update"

* Add missing ActiveStorage config file

* Use config.ssl_options instead of removed ApplicationController#force_ssl

Disabled force_ssl-related tests as they do not seem to be easily testable
anymore.

* Fix nonce directives by removing Rails 5 specific monkey-patching

* Fix fixture_file_upload deprecation warning

* Fix yield-based test failing with Rails 6

* Use Rails 6's index_with when possible

* Use ActiveRecord::Cache::Store#delete_multi from Rails 6

This will yield better performances when deleting an account

* Disable Rails 6.1's automatic preload link headers

Since Rails 6.1, ActionView adds preload links for javascript files
in the Links header per default.

In our case, that will bloat headers too much and potentially cause
issues with reverse proxies. Furhermore, we don't need those links,
as we already output them as HTML link tags.

* Switch to Rails 6.0 default config

* Switch to Rails 6.1 default config

* Do not include autoload paths in the load path
2021-03-24 10:44:31 +01:00
ThibG a783bdf4ad
Fix hashtag column options styling (#14247)
* Enable nonces for stylesheets

* Pass nonce to react-select
2020-07-07 01:33:38 +02:00
ThibG e1629a7758
Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)
* Make sure wicg-inert doesn't rely on inline CSS

* Remove unsafe-inline from style-src
2020-05-08 21:22:57 +02:00
ThibG dea5db0e25
Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
ThibG 7ddbbdea6d
Fix OCR not working on Safari because of unsupported worker-src CSP (#13323)
Fixes #13321
2020-03-27 22:35:57 +01:00
ThibG 8203e24cf4 Fix CSP needlessly allowing blob URLs in script-src (#11620) 2019-08-19 20:36:58 +02:00
Eugen Rochko b7f5f0ec10
Fix media host not being included in connect-src for OCR (#11577) 2019-08-16 01:54:36 +02:00
Eugen Rochko 28636f43e4
Add OCR tool to media editing modal (#11566) 2019-08-15 15:13:26 +02:00
ThibG 8ab081ec32 Add manifest_src to CSP, add blob to connect_src (#8967) 2018-10-12 19:07:30 +02:00
Eugen Rochko edc7f895be
Fix CSP headers blocking media and development environment (#8962)
Regression from #8957
2018-10-12 01:43:09 +02:00
ThibG 2d27c11061 Set Content-Security-Policy rules through RoR's config (#8957)
* Set CSP rules in RoR's configuration

* Override CSP setting in the embed controller to allow frames
2018-10-11 20:35:46 +02:00
Yamagishi Kazutoshi 50529cbceb Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 14:45:17 +02:00