[0.6] client/webserver: keep IPv6 out of csp header #2287
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Minimal fix for release-v0.6.
Pertaining to #2283, this just filters out IPv6 addresses from injection into the csp part of the http response header.
Even though all IPv4 except 127.0.0.1 does not match (we must rely on
'self'
working correctly for these), they do not make the CSP entry invalid, so we are continuing to insert those so we do not create a change of behavior.On master we may actually remove this
content-src
injection since the browser bug was fixed about a year ago. On master, we should also update the backend log line that prints out the URL so that it doesn't include the wildcard address since that's no good for a browser address.All this PR does is to avoid adding IPv6 addresses, since those actually make the CSP invalid. Examples: