Permalink
Browse files

Fix CSP errors

- jQuery UI loads images from ajax.googleapis.com.
- JS Calendar control does unsafe eval, whitelisting until we replace this control.
  • Loading branch information...
1 parent 8ac7f9c commit df605e1d2479a01f594773a4575c2e39b5c6ade2 @vboctor vboctor committed Aug 27, 2016
Showing with 8 additions and 3 deletions.
  1. +8 −3 core/http_api.php
View
@@ -219,9 +219,9 @@ function http_security_headers() {
# White list the CDN urls (if enabled)
if ( config_get_global( 'cdn_enabled' ) == ON ) {
- $t_cdn_url = 'https://ajax.googleapis.com';
- http_csp_add( 'style-src', $t_cdn_url );
- http_csp_add( 'script-src', $t_cdn_url );
+ http_csp_add( 'style-src', 'ajax.googleapis.com' );
+ http_csp_add( 'script-src', 'ajax.googleapis.com' );
+ http_csp_add( 'img-src', 'ajax.googleapis.com' );
}
# Relaxing policy for roadmap page to allow inline styles
@@ -230,6 +230,11 @@ function http_security_headers() {
http_csp_add( 'style-src', "'unsafe-inline'" );
}
+ # The JS Calendar control does unsafe eval, remove once we upgrade the control (see #20040)
+ if( 'bug_update_page.php' == basename( $_SERVER['SCRIPT_NAME'] ) ) {
+ http_csp_add( 'script-src', "'unsafe-eval'" );
+ }
+
http_csp_emit_header();
if( http_is_protocol_https() ) {

0 comments on commit df605e1

Please sign in to comment.