Commit 32112369 authored by Christophe Maudoux's avatar Christophe Maudoux 🐛

Set default formAction CSP (#1499)

parent 304216bd
...@@ -33,7 +33,7 @@ sub defaultValues { ...@@ -33,7 +33,7 @@ sub defaultValues {
'cspConnect' => '\'self\'', 'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'', 'cspDefault' => '\'self\'',
'cspFont' => '\'self\'', 'cspFont' => '\'self\'',
'cspFormAction' => '*', 'cspFormAction' => '\'self\'',
'cspImg' => '\'self\' data:', 'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'', 'cspScript' => '\'self\'',
'cspStyle' => '\'self\'', 'cspStyle' => '\'self\'',
......
...@@ -920,7 +920,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.] ...@@ -920,7 +920,7 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'type' => 'text' 'type' => 'text'
}, },
'cspFormAction' => { 'cspFormAction' => {
'default' => '*', 'default' => '\'self\'',
'type' => 'text' 'type' => 'text'
}, },
'cspImg' => { 'cspImg' => {
......
...@@ -615,7 +615,7 @@ sub attributes { ...@@ -615,7 +615,7 @@ sub attributes {
}, },
cspFormAction => { cspFormAction => {
type => 'text', type => 'text',
default => "*", default => "'self'",
documentation => 'Form action destination for Content-Security-Policy', documentation => 'Form action destination for Content-Security-Policy',
}, },
cspImg => { cspImg => {
......
This source diff could not be displayed because it is too large. You can view the blob instead.
...@@ -723,7 +723,7 @@ sub sendHtml { ...@@ -723,7 +723,7 @@ sub sendHtml {
# Set authorized URL for POST # Set authorized URL for POST
my $csp my $csp
= $self->csp . "form-action 'self' " . $self->conf->{cspFormAction}; = $self->csp . "form-action " . $self->conf->{cspFormAction};
if ( my $url = $req->urldc ) { if ( my $url = $req->urldc ) {
$self->logger->debug("Required urldc : $url"); $self->logger->debug("Required urldc : $url");
$url =~ s#(https?://[^/]+).*#$1#; $url =~ s#(https?://[^/]+).*#$1#;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment