Add `form-action` CSP directive (#23478)
* Add form-action CSP directive (#20781) * Fix OAuth flow being broken by recent CSP change (#20958) * Fix form-action CSP directive for external login (#20962)
This commit is contained in:
parent
da5d81c90d
commit
e26dd2ea8f
|
@ -12,6 +12,10 @@ class Auth::SessionsController < Devise::SessionsController
|
||||||
before_action :set_instance_presenter, only: [:new]
|
before_action :set_instance_presenter, only: [:new]
|
||||||
before_action :set_body_classes
|
before_action :set_body_classes
|
||||||
|
|
||||||
|
content_security_policy only: :new do |p|
|
||||||
|
p.form_action(false)
|
||||||
|
end
|
||||||
|
|
||||||
def create
|
def create
|
||||||
super do |resource|
|
super do |resource|
|
||||||
# We only need to call this if this hasn't already been
|
# We only need to call this if this hasn't already been
|
||||||
|
|
|
@ -7,6 +7,10 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
|
||||||
before_action :authenticate_resource_owner!
|
before_action :authenticate_resource_owner!
|
||||||
before_action :set_cache_headers
|
before_action :set_cache_headers
|
||||||
|
|
||||||
|
content_security_policy do |p|
|
||||||
|
p.form_action(false)
|
||||||
|
end
|
||||||
|
|
||||||
include Localized
|
include Localized
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
|
@ -26,6 +26,7 @@ Rails.application.config.content_security_policy do |p|
|
||||||
p.media_src :self, :https, :data, assets_host
|
p.media_src :self, :https, :data, assets_host
|
||||||
p.frame_src :self, :https
|
p.frame_src :self, :https
|
||||||
p.manifest_src :self, assets_host
|
p.manifest_src :self, assets_host
|
||||||
|
p.form_action :self
|
||||||
|
|
||||||
if Rails.env.development?
|
if Rails.env.development?
|
||||||
webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }
|
webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }
|
||||||
|
|
Loading…
Reference in New Issue