Loading Changelog.md +1 −0 Original line number Diff line number Diff line Loading @@ -9,6 +9,7 @@ * Cleanup rtl css [#7374](https://github.com/diaspora/diaspora/pull/7374) * Increase visual spacing between list items [#7401](https://github.com/diaspora/diaspora/pull/7401) * Remove unused gem and cucumber step [#7410](https://github.com/diaspora/diaspora/pull/7410) * Disable CSP header when `report_only` and no `report_uri` is set [#7367](https://github.com/diaspora/diaspora/pull/7367) ## Bug fixes * Don't hide posts when blocking someone from the profile [#7379](https://github.com/diaspora/diaspora/pull/7379) Loading config/diaspora.yml.example +2 −1 Original line number Diff line number Diff line Loading @@ -567,10 +567,11 @@ configuration: ## Section ## party domains from services that are included in diaspora*, like OEmbed ## scripts, so you can safely activate it by setting `report_only` to false. If ## you customized diaspora* (edited templates or added own JS), additional work ## may be required. You can test the policy with the "report_uri". Our default CSP ## may be required. You can test the policy with the `report_uri`. Our default CSP ## does not work with Google analytics or Piwik, because they inject JS code that ## is blocked by CSP. csp: ## Report-Only header (default=true) ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set ## this to false, the "Content-Security-Policy" header is added instead. Loading config/initializers/secure_headers.rb +1 −1 Original line number Diff line number Diff line Loading @@ -44,7 +44,7 @@ SecureHeaders::Configuration.default do |config| if AppConfig.settings.csp.report_only? config.csp = SecureHeaders::OPT_OUT config.csp_report_only = csp config.csp_report_only = csp if AppConfig.settings.csp.report_uri.present? else config.csp = csp end Loading Loading
Changelog.md +1 −0 Original line number Diff line number Diff line Loading @@ -9,6 +9,7 @@ * Cleanup rtl css [#7374](https://github.com/diaspora/diaspora/pull/7374) * Increase visual spacing between list items [#7401](https://github.com/diaspora/diaspora/pull/7401) * Remove unused gem and cucumber step [#7410](https://github.com/diaspora/diaspora/pull/7410) * Disable CSP header when `report_only` and no `report_uri` is set [#7367](https://github.com/diaspora/diaspora/pull/7367) ## Bug fixes * Don't hide posts when blocking someone from the profile [#7379](https://github.com/diaspora/diaspora/pull/7379) Loading
config/diaspora.yml.example +2 −1 Original line number Diff line number Diff line Loading @@ -567,10 +567,11 @@ configuration: ## Section ## party domains from services that are included in diaspora*, like OEmbed ## scripts, so you can safely activate it by setting `report_only` to false. If ## you customized diaspora* (edited templates or added own JS), additional work ## may be required. You can test the policy with the "report_uri". Our default CSP ## may be required. You can test the policy with the `report_uri`. Our default CSP ## does not work with Google analytics or Piwik, because they inject JS code that ## is blocked by CSP. csp: ## Report-Only header (default=true) ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set ## this to false, the "Content-Security-Policy" header is added instead. Loading
config/initializers/secure_headers.rb +1 −1 Original line number Diff line number Diff line Loading @@ -44,7 +44,7 @@ SecureHeaders::Configuration.default do |config| if AppConfig.settings.csp.report_only? config.csp = SecureHeaders::OPT_OUT config.csp_report_only = csp config.csp_report_only = csp if AppConfig.settings.csp.report_uri.present? else config.csp = csp end Loading
