Skip to content

Implement CSP 'frame-ancestors' header for Gdn_Controller#8970

Merged
initvector merged 4 commits into
masterfrom
feature/551-patches-csp-frame-ancestors
Jun 19, 2019
Merged

Implement CSP 'frame-ancestors' header for Gdn_Controller#8970
initvector merged 4 commits into
masterfrom
feature/551-patches-csp-frame-ancestors

Conversation

@alex-mtl

@alex-mtl alex-mtl commented Jun 17, 2019
edited by charrondev
Loading

Copy link
Copy Markdown
Contributor

Release Notes

These are mostly important for the OSS release.

Upgrade Notes

  • Delete container.html from the root of the vanilla installation.
  • Run /utility/update.

PR

Output container.html page through GDN_Controller to apply all standard checks and headers

apply CSP 'frame-ancestors' header for Gdn_Controller

Closes: https://github.com/vanilla/vanilla-patches/issues/551
Note Require to run utility/update to add new route for container.html (no DB change)

@alex-mtl
output container.html page through GDN_Controller to apply all standa…
89caa5c 
…rd checks and headers

apply CSP 'frame-ancestors' header for Gdn_Controller

Closes: https://github.com/vanilla/vanilla-patches/issues/551
@alex-mtl alex-mtl added Status: WIP This pull request is currently in progress. Do NOT merge it. and removed Status: WIP This pull request is currently in progress. Do NOT merge it. labels Jun 17, 2019
@alex-mtl alex-mtl added Release: DB Update ☢️☢️☢️This pull request contains a database update.☢️☢️☢️ Status: Needs Backport This issue requires a backport once it has been fixed. labels Jun 17, 2019
@alex-mtl alex-mtl added this to the 2019-06-26 milestone Jun 17, 2019
@charrondev charrondev added the Release: Custom Notes Indicate that this pull request has specially written release notes. label Jun 19, 2019
charrondev
charrondev suggested changes Jun 19, 2019
View reviewed changes
Comment thread library/core/class.controller.php
$hsts = Gdn::factory('HstsModel');
$this->_Headers[HttpStrictTransportSecurityModel::HSTS_HEADER] = $hsts->getHsts();

$cspModel = Gdn::factory(ContentSecurityPolicyModel::class);

@charrondev charrondev Jun 19, 2019

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm trying to get rid of Gdn::factory() (it just uses the container internally at this point). #7459

The standard way for this is Gdn::getContainer()->get() instead.

@initvector initvector merged commit afef345 into master Jun 19, 2019
@tburry tburry mentioned this pull request Jun 20, 2019
Merged
@charrondev charrondev mentioned this pull request Jun 20, 2019
Merged
@linc linc deleted the feature/551-patches-csp-frame-ancestors branch September 21, 2019 14:02
@charrondev charrondev added Status: Backported The fix for this issue has been successfully backported. and removed Status: Needs Backport This issue requires a backport once it has been fixed. labels Jan 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@initvector initvector initvector approved these changes

@charrondev charrondev charrondev approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@initvector initvector

@charrondev charrondev

Labels

Release: Custom Notes Indicate that this pull request has specially written release notes. Release: DB Update ☢️☢️☢️This pull request contains a database update.☢️☢️☢️ Status: Backported The fix for this issue has been successfully backported.

Projects

None yet

Milestone

2019-06-26

Development

Successfully merging this pull request may close these issues.

3 participants

@alex-mtl @initvector @charrondev