Merge remote-tracking branch 'upstream/pull/5469'

author Tom Hughes <tom@compton.nu>

Sun, 5 Jan 2025 16:14:18 +0000 (16:14 +0000)

committer Tom Hughes <tom@compton.nu>

Sun, 5 Jan 2025 16:14:18 +0000 (16:14 +0000)
author Tom Hughes <tom@compton.nu>
Sun, 5 Jan 2025 16:14:18 +0000 (16:14 +0000)
committer Tom Hughes <tom@compton.nu>
Sun, 5 Jan 2025 16:14:18 +0000 (16:14 +0000)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 32b53bad71c3f431d79234d65e354f6cafcf13c9..1ef49bf4629c209a6e14a61c3fc97656c5405420 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -20,7 +20,7 @@ class ApplicationController < ActionController::Base
    helper_method :oauth_token
  
    def self.allow_thirdparty_images(**options)
-    content_security_policy(options) do |policy|
+    content_security_policy(**options) do |policy|
        policy.img_src("*", :data)
      end
    end
diff --git a/app/controllers/diary_comments_controller.rb b/app/controllers/diary_comments_controller.rb

index f6597cf4c0fac1f74fa69a2c12b9851fdc6ab4ad..676bc22a66a10306f1fc8c5f7628d40c5e7baee5 100644 (file)
--- a/app/controllers/diary_comments_controller.rb
+++ b/app/controllers/diary_comments_controller.rb
@@ -13,7 +13,7 @@ class DiaryCommentsController < ApplicationController
    before_action :lookup_user, :only => :index
    before_action :check_database_writable, :only => [:create, :hide, :unhide]
  
-  allow_thirdparty_images :only => :index
+  allow_thirdparty_images :only => [:index, :create]
  
    def index
      @title = t ".title", :user => @user.display_name
diff --git a/test/controllers/diary_comments_controller_test.rb b/test/controllers/diary_comments_controller_test.rb

index 65a71a9b57b05d8f4eda9c53a4f535d143d270b5..3ea9bc09400d5334d3a80044d68089736591b427 100644 (file)
--- a/test/controllers/diary_comments_controller_test.rb
+++ b/test/controllers/diary_comments_controller_test.rb
@@ -104,6 +104,7 @@ class DiaryCommentsControllerTest < ActionDispatch::IntegrationTest
      end
      assert_response :success
      assert_template :new
+    assert_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
  
      # Now try again with the right id
      assert_difference "ActionMailer::Base.deliveries.size", entry.subscribers.count do
diff --git a/test/controllers/users_controller_test.rb b/test/controllers/users_controller_test.rb

index ba1af9509e0fbfaff740a279668f9aa4d247976c..7b554711f6e7dc28f52e4d695817332aba618d65 100644 (file)
--- a/test/controllers/users_controller_test.rb
+++ b/test/controllers/users_controller_test.rb
@@ -57,6 +57,8 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
      get user_new_path, :params => { :cookie_test => "true" }
      assert_response :success
  
+    assert_no_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
+
      assert_select "html", :count => 1 do
        assert_select "head", :count => 1 do
          assert_select "title", :text => /Sign Up/, :count => 1
@@ -297,6 +299,7 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
  
      get user_path(user)
      assert_response :success
+    assert_match(/img-src \* data:;/, @response.headers["Content-Security-Policy-Report-Only"])
      assert_select "div.content-heading" do
        assert_select "a[href^='/user/#{ERB::Util.u(user.display_name)}/history']", 1
        assert_select "a[href='/user/#{ERB::Util.u(user.display_name)}/traces']", 1
author	Tom Hughes <tom@compton.nu>
	Sun, 5 Jan 2025 16:14:18 +0000 (16:14 +0000)
committer	Tom Hughes <tom@compton.nu>
	Sun, 5 Jan 2025 16:14:18 +0000 (16:14 +0000)
app/controllers/application_controller.rb		patch \| blob \| history
app/controllers/diary_comments_controller.rb		patch \| blob \| history
test/controllers/diary_comments_controller_test.rb		patch \| blob \| history
test/controllers/users_controller_test.rb		patch \| blob \| history