recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Block use of "<base />" in the Content Security Policy

Summary: Ref T4340. We don't use "<base />" so we can safely block it.

Test Plan: Injected "<base />" into a page, saw an error in the console showing that the browser had blocked it.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19158

epriestley d5befb1a a2fdf142

+3
+3
src/aphront/response/AphrontResponse.php
··· 154 154 // download URI instead of submitting a form to it. 155 155 $csp[] = "form-action 'self'"; 156 156 157 + // Block use of "<base>" to change the origin of relative URIs on the page. 158 + $csp[] = "base-uri 'none'"; 159 + 157 160 $csp = implode('; ', $csp); 158 161 159 162 return $csp;