recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add "object-src 'none'" to the Content-Security-Policy

Summary: See PHI399. Ref T4340. We don't require Flash/Java anywhere and can safely block them unconditionally in the Content-Security-Policy header.

Test Plan: Added a `<object ... />` tag to a page, saw "Blocked Plug-In" and a CSP warning in the browser console.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19154

epriestley a5efd7ee f114b2dd

+3
+3
src/aphront/response/AphrontResponse.php
··· 144 144 $csp[] = "frame-ancestors 'none'"; 145 145 } 146 146 147 + // Block relics of the old world: Flash, Java applets, and so on. 148 + $csp[] = "object-src 'none'"; 149 + 147 150 $csp = implode('; ', $csp); 148 151 149 152 return $csp;