@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.)
hq.recaptime.dev/wiki/Phorge
phorge
phabricator
Include the primary domain in the Content-Security-Policy explicitly if there's no CDN
Summary:
Ref T4340. If you don't configure a CDN and visit a custom site (like a Phame blog site, or a CORGI sandbox internally) we serve resources from the main site. This violates the Content-Security-Policy.
When there's no CDN, include the primary domain in the CSP explicitly.
Test Plan: Loaded `local.www.phacility.com`, got resources.
Maniphest Tasks: T4340
Differential Revision: https://secure.phabricator.com/D19170
+8
-1
+8
-1
src/aphront/response/AphrontResponse.php
+8
-1
src/aphront/response/AphrontResponse.php
···
109
109
if ($cdn) {
110
110
$default = $this->newContentSecurityPolicySource($cdn);
111
111
} else {
112
-
$default = "'self'";
112
+
// If an alternate file domain is not configured and the user is viewing
113
+
// a Phame blog on a custom domain or some other custom site, we'll still
114
+
// serve resources from the main site. Include the main site explicitly.
115
+
116
+
$base_uri = PhabricatorEnv::getURI('/');
117
+
$base_uri = $this->newContentSecurityPolicySource($base_uri);
118
+
119
+
$default = "'self' {$base_uri}";
113
120
}
114
121
115
122
$csp[] = "default-src {$default}";