This is an automated email from the ASF dual-hosted git repository. gcruz pushed a commit to branch gc/8504 in repository https://gitbox.apache.org/repos/asf/allura.git
commit afc0868b8f1d67e0b21b927b51eb989677b908a9 Author: Guillermo Cruz <[email protected]> AuthorDate: Fri Mar 17 15:27:53 2023 -0500 [#8504] added 'report-sample' to report rules --- Allura/allura/lib/custom_middleware.py | 8 ++++---- Allura/development.ini | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Allura/allura/lib/custom_middleware.py b/Allura/allura/lib/custom_middleware.py index 4d8e51c56..1ca8accc5 100644 --- a/Allura/allura/lib/custom_middleware.py +++ b/Allura/allura/lib/custom_middleware.py @@ -488,7 +488,7 @@ class ContentSecurityPolicyMiddleware: if asbool(self.config.get('csp.frame_sources_enforce', False)): rules.add(f"frame-src {self.config['csp.frame_sources']}") else: - report_rules.add(f"frame-src {self.config['csp.frame_sources']}") + report_rules.add(f"frame-src {self.config['csp.frame_sources']} 'report-sample'") if self.config.get('csp.form_action_urls'): srcs = self.config['csp.form_action_urls'] @@ -497,7 +497,7 @@ class ContentSecurityPolicyMiddleware: if asbool(self.config.get('csp.form_actions_enforce', False)): rules.add(f"form-action {srcs}") else: - report_rules.add(f"form-action {srcs}") + report_rules.add(f"form-action {srcs} 'report-sample'") if self.config.get('csp.script_src'): script_srcs = self.config['csp.script_src'] @@ -512,13 +512,13 @@ class ContentSecurityPolicyMiddleware: if asbool(self.config.get('csp.script_src_enforce', False)): rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}") else: - report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')}") + report_rules.add(f"script-src {script_srcs} {self.config.get('csp.script_src.extras','')} 'report-sample'") if self.config.get('csp.script_src_attr'): if asbool(self.config.get('csp.script_src_attr_enforce', False)): rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}") else: - report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')}") + report_rules.add(f"script-src-attr {self.config.get('csp.script_src_attr')} 'report-sample'") rules.add("object-src 'none'") rules.add("frame-ancestors 'self'") diff --git a/Allura/development.ini b/Allura/development.ini index 3b41bdf65..b73c0173c 100644 --- a/Allura/development.ini +++ b/Allura/development.ini @@ -685,7 +685,7 @@ csp.script_src.extras = 'unsafe-inline' 'unsafe-eval' ; to enable enforce mode on script-src-attr ;csp.script_src_attr_enforce = true -csp.script_src_attr = 'self' +csp.script_src_attr = 'none' ; ; Settings for comment reactions ;
