couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robertkowalski <...@git.apache.org>
Subject [GitHub] couchdb pull request: Add Experimental Content-Security-Policy-Sup...
Date Sun, 18 May 2014 22:19:43 GMT
Github user robertkowalski commented on a diff in the pull request:

    https://github.com/apache/couchdb/pull/233#discussion_r12776674
  
    --- Diff: src/couchdb/couch_httpd_misc_handlers.erl ---
    @@ -79,6 +80,15 @@ handle_utils_dir_req(#httpd{method='GET'}=Req, DocumentRoot) ->
     handle_utils_dir_req(Req, _) ->
         send_method_not_allowed(Req, "GET,HEAD").
     
    +maybe_add_csp_headers(Headers, "false") ->
    +    Headers;
    +maybe_add_csp_headers(Headers, "true") ->
    +    DefaultValues = "default-src 'self'; img-src *; font-src *; " ++
    --- End diff --
    
    Good questions! Here are the points I found:
    
    - Regarding fonts: we are loading currently fonts from a netdna cdn, I want to remove
this already in https://issues.apache.org/jira/browse/COUCHDB-2238
    
    - `unsafe-eval`: our dependency lodash needs it for the templating if I remember right
    
    - img-src will have a look again and change it, if everything works
    
    - style-src: we are having a lot of inline styles where we depend on, sometimes it is
not that easy to remove them


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message