archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

safeweb: allow object-src: self in CSP (#11782)

Browse Source 
This change is safe (self is still safe, by
definition), and makes the code match the comment.

Updates #cleanup

Signed-off-by: Chris Palmer <cpalmer@tailscale.com>
pull/11779/head
Chris Palmer 2 weeks ago committed by GitHub
parent e775de3c63
commit bdfaef4879
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File

2
safeweb/http.go
Unescape Escape View File

@ -89,7 +89,7 @@ var defaultCSP = strings.Join([]string{
`form-action 'self'`, // disallow form submissions to other origins
`base-uri 'self'`, // disallow base URIs from other origins
`block-all-mixed-content`, // disallow mixed content when serving over HTTPS
`object-src 'none'`, // disallow embedding of resources from other origins
`object-src 'self'`, // disallow embedding of resources from other origins
}, "; ")
// Config contains the configuration for a safeweb server.

Write Preview
Loading…
Cancel
Save