Homestyx hydra
Diffusion hydra a5efd7eedb3c

Add "object-src 'none'" to the Content-Security-Policy
a5efd7eedb3c
Actions

Description

Add "object-src 'none'" to the Content-Security-Policy

Summary: See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan: Added a <object ... /> tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19154

Details

Provenance
epriestleyAuthored on Feb 28 2018, 5:15 PM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:f114b2dd7d4b: When viewing a live build log, trap users in a small personal hell where…
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (1)

PathSize
src/
aphront/
response/

R1:a5efd7eedb3c

View Options

src/aphront/response/AphrontResponse.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)