New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Markdown Security Policy to allow local HTTP content #46473

Merged
merged 1 commit into from Mar 26, 2018

Conversation

Projects
None yet
3 participants
@anoff
Copy link
Contributor

anoff commented Mar 24, 2018

fixes #46418

Added another Security Policy option that allows image, media, style and font data to be loaded via (unsafe) http from localhost and 127.0.0.1. Even though Google CSP Evaluator recommends adding object-src to prevent injection I refrained from adding it would deviate from the standard set by the existing policies. Maybe worth updating all of them in one PR?

screen shot 2018-03-24 at 12 37 07

Steps taken to test:

  • ran tests: 3934 passing
  • successful local build for darwin
  • tested new policy that it won't load http:// from www but will load from localhost web server
@msftclas

This comment has been minimized.

Copy link

msftclas commented Mar 24, 2018

CLA assistant check
All CLA requirements met.

@mjbvz mjbvz added this to the March 2018 milestone Mar 26, 2018

@mjbvz mjbvz merged commit e64b9b4 into Microsoft:master Mar 26, 2018

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build could not complete due to an error
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
license/cla All CLA requirements met.
Details
@mjbvz

This comment has been minimized.

Copy link
Contributor

mjbvz commented Mar 26, 2018

Great! This will be in the insiders build and should go out in VS Code 1.22

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment