Unverified Commit 30fad827 authored by Amadren's avatar Amadren Committed by Benjamin Neff

Improve csp for a better cloudflare support

closes #7367
parent f1c10911
......@@ -9,6 +9,7 @@
* Cleanup rtl css [#7374](https://github.com/diaspora/diaspora/pull/7374)
* Increase visual spacing between list items [#7401](https://github.com/diaspora/diaspora/pull/7401)
* Remove unused gem and cucumber step [#7410](https://github.com/diaspora/diaspora/pull/7410)
* Disable CSP header when `report_only` and no `report_uri` is set [#7367](https://github.com/diaspora/diaspora/pull/7367)
## Bug fixes
* Don't hide posts when blocking someone from the profile [#7379](https://github.com/diaspora/diaspora/pull/7379)
......
......@@ -567,10 +567,11 @@ configuration: ## Section
## party domains from services that are included in diaspora*, like OEmbed
## scripts, so you can safely activate it by setting `report_only` to false. If
## you customized diaspora* (edited templates or added own JS), additional work
## may be required. You can test the policy with the "report_uri". Our default CSP
## may be required. You can test the policy with the `report_uri`. Our default CSP
## does not work with Google analytics or Piwik, because they inject JS code that
## is blocked by CSP.
csp:
## Report-Only header (default=true)
## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
## this to false, the "Content-Security-Policy" header is added instead.
......
......@@ -44,7 +44,7 @@ SecureHeaders::Configuration.default do |config|
if AppConfig.settings.csp.report_only?
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = csp
config.csp_report_only = csp if AppConfig.settings.csp.report_uri.present?
else
config.csp = csp
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment