mirrors
/
tailscale
mirror of https://github.com/tailscale/tailscale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

safeweb: allow object-src: self in CSP (#11782) 

This change is safe (self is still safe, by
definition), and makes the code match the comment.

Updates #cleanup

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
This commit is contained in:
Chris Palmer 2024-04-18 10:39:11 -07:00 committed by GitHub
parent e775de3c63
commit bdfaef4879
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
safeweb/http.go
View File

@ -89,7 +89,7 @@ var defaultCSP = strings.Join([]string{
`form-action 'self'`, // disallow form submissions to other origins
`base-uri 'self'`, // disallow base URIs from other origins
`block-all-mixed-content`, // disallow mixed content when serving over HTTPS
`object-src 'none'`, // disallow embedding of resources from other origins
`object-src 'self'`, // disallow embedding of resources from other origins
}, "; ")
// Config contains the configuration for a safeweb server.