diff options
author | Joan Touzet <wohali@users.noreply.github.com> | 2020-08-10 17:47:06 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-08-10 13:47:06 -0400 |
commit | 625698d86fa366af490c27d6641cad313d65b97a (patch) | |
tree | ae7c119e4cc62cc2fa989157b08803f62727d961 | |
parent | 9c3d888942d1fe2d8d6e7cfbd04adc74d2507590 (diff) | |
download | couchdb-625698d86fa366af490c27d6641cad313d65b97a.tar.gz |
Fix/csp 3.x (#3069)
* fix: send CSP header to make Fauxotn work fully
Co-authored-by: Robert Newson <rnewson@apache.org>
* Remove accidental chttpd_auth.erl.orig commit
-rw-r--r-- | src/chttpd/src/chttpd_misc.erl | 2 | ||||
-rw-r--r-- | src/chttpd/test/eunit/chttpd_csp_tests.erl | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl index ffb5295b5..830fea378 100644 --- a/src/chttpd/src/chttpd_misc.erl +++ b/src/chttpd/src/chttpd_misc.erl @@ -105,7 +105,7 @@ handle_utils_dir_req(Req, _) -> send_method_not_allowed(Req, "GET,HEAD"). maybe_add_csp_headers(Headers, "true") -> - DefaultValues = "default-src 'self'; img-src 'self' data:; font-src 'self'; " + DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; " "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", Value = config:get("csp", "header_value", DefaultValues), [{"Content-Security-Policy", Value} | Headers]; diff --git a/src/chttpd/test/eunit/chttpd_csp_tests.erl b/src/chttpd/test/eunit/chttpd_csp_tests.erl index e86436254..b80e3fee6 100644 --- a/src/chttpd/test/eunit/chttpd_csp_tests.erl +++ b/src/chttpd/test/eunit/chttpd_csp_tests.erl @@ -56,7 +56,7 @@ should_not_return_any_csp_headers_when_disabled(Url) -> should_apply_default_policy(Url) -> ?_assertEqual( - "default-src 'self'; img-src 'self' data:; font-src 'self'; " + "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; " "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", begin {ok, _, Headers, _} = test_request:get(Url), |