Commit graph

20 commits

Author SHA1 Message Date
Matt Jankowski
78f29479ab Fix Rails/Present cop (#24688) 2023-04-30 06:47:50 +02:00
Nick Schonning
2a0d2453b0 Autofix Rubocop Style/IdenticalConditionalBranches (#24322) 2023-03-31 09:33:52 +02:00
Claire
d5fad31a45 Add form-action CSP directive (#20781) 2022-11-17 10:55:03 +01:00
Eugen Rochko
c0b3ebd307 Fix wrong directive unsafe-wasm-eval to wasm-unsafe-eval (#20729) 2022-11-15 03:39:06 +01:00
prplecake
a4f1043bb3 Use "unsafe-wasm-eval" instead of "unsafe-eval" in script-src CSP (#20606)
* Add "unsafe-eval" to script-src CSP

* Use 'unsafe-wasm-eval' instead of 'unsafe-eval'
2022-11-15 03:22:38 +01:00
prplecake
d870657f80 Add "unsafe-eval" to script-src CSP (#18817) 2022-10-26 19:23:16 +02:00
Yamagishi Kazutoshi
1d96010836 Fix LetterOpennerWeb CSP (#17770) 2022-03-14 19:20:40 +01:00
Eugen Rochko
1189a308c9 Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 02:31:20 +02:00
Claire
b2a89bf38e Update Mastodon to Rails 6.1 (#15910)
* Update devise-two-factor to unreleased fork for Rails 6 support

Update tests to match new `rotp` version.

* Update nsa gem to unreleased fork for Rails 6 support

* Update rails to 6.1.3 and rails-i18n to 6.0

* Update to unreleased fork of pluck_each for Ruby 6 support

* Run "rails app:update"

* Add missing ActiveStorage config file

* Use config.ssl_options instead of removed ApplicationController#force_ssl

Disabled force_ssl-related tests as they do not seem to be easily testable
anymore.

* Fix nonce directives by removing Rails 5 specific monkey-patching

* Fix fixture_file_upload deprecation warning

* Fix yield-based test failing with Rails 6

* Use Rails 6's index_with when possible

* Use ActiveRecord::Cache::Store#delete_multi from Rails 6

This will yield better performances when deleting an account

* Disable Rails 6.1's automatic preload link headers

Since Rails 6.1, ActionView adds preload links for javascript files
in the Links header per default.

In our case, that will bloat headers too much and potentially cause
issues with reverse proxies. Furhermore, we don't need those links,
as we already output them as HTML link tags.

* Switch to Rails 6.0 default config

* Switch to Rails 6.1 default config

* Do not include autoload paths in the load path
2021-03-24 10:44:31 +01:00
ThibG
aa7142b9e2 Fix hashtag column options styling (#14247)
* Enable nonces for stylesheets

* Pass nonce to react-select
2020-07-07 01:33:38 +02:00
ThibG
b20d0db1eb Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679)
* Make sure wicg-inert doesn't rely on inline CSS

* Remove unsafe-inline from style-src
2020-05-08 21:22:57 +02:00
ThibG
fe7b81ac6b Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 13:52:41 +02:00
ThibG
246c4d4fbf Fix OCR not working on Safari because of unsupported worker-src CSP (#13323)
Fixes #13321
2020-03-27 22:35:57 +01:00
ThibG
5a122f1450 Fix CSP needlessly allowing blob URLs in script-src (#11620) 2019-08-19 20:36:58 +02:00
Eugen Rochko
b1f116335c Fix media host not being included in connect-src for OCR (#11577) 2019-08-16 01:54:36 +02:00
Eugen Rochko
41b188dce6 Add OCR tool to media editing modal (#11566) 2019-08-15 15:13:26 +02:00
ThibG
f8e9555e73 Add manifest_src to CSP, add blob to connect_src (#8967) 2018-10-12 19:07:30 +02:00
Eugen Rochko
0dbb3a8786 Fix CSP headers blocking media and development environment (#8962)
Regression from #8957
2018-10-12 01:43:09 +02:00
ThibG
51c53e709f Set Content-Security-Policy rules through RoR's config (#8957)
* Set CSP rules in RoR's configuration

* Override CSP setting in the embed controller to allow frames
2018-10-11 20:35:46 +02:00
Yamagishi Kazutoshi
9761b940ac Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 14:45:17 +02:00