feat: add more fine-grained CSP support #3724
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This introduces CSP settings for attachments and show/list funs and
streamlines the configuration with the existing Fauxton CSP options.
Deprecates the old
[csp] enable
and[csp] header_value
configoptions, but they are honoured going forward.
They are replaced with
[csp] utils_enable
and[csp] utils_header_value
respectively. The funcitonality and default values remain the same.
In addition, these new config options are added, along with their
default values:
These add
Content-Security-Policy
headers to all attachment requestsand to all non-JSON show and all list function responses.
Co-authored-by: Nick Vatamaniuc [email protected]
Co-authored-by: Robert Newson [email protected]
Checklist
rel/overlay/etc/default.ini