Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Set a deny-all Content-Security-Policy header when none is set

Download Browse

No functional change is expected, all responses that did not had a CSP header previously (e.g. API responses, static assets...) should now have one. This default Content-Security-Policy is strict and is expected to deny everything as nothing is expected to loaded/executed/... from those resources. Part of request #17967: Deploy a useful content security policy Change-Id: I79e3cbf0612c5ee592e6b01dc55418edc117ff74

+29 −9
Thomas Gerbet (tgerbet) 2020-11-09 20:06
Thomas Gerbet (tgerbet) 2020-11-09 20:21
b767bc5c127d08c58a1a468fe5a602c125c3a176
22d73faf9eaf86d70b73900550d17bf8be49833a
git #tuleap/stable/b767bc5c127d08c58a1a468fe5a602c125c3a176

Modified Files

Side by side diff
Inline diff
Name
A src/etc/nginx/tuleap-managed-global-settings.conf +6 −0 Go to diff View file
M src/etc/nginx/tuleap.d/03-locations.conf +3 −0 Go to diff View file
A src/etc/nginx/tuleap.d/09-content-security-policy.conf +4 −0 Go to diff View file
M tools/Configuration/Nginx/Common.php +16 −9 Go to diff View file