hedgedoc

mirror of https://github.com/hedgedoc/hedgedoc.git synced 2025-02-12 15:12:29 +00:00

History

David Mehren 9499add64c Tighten up default Content-Security-Policy This commit changes the - default-src to none, so everything is disallowed by default - base-uri, connect-uri and font-src to self, so these are restricted to the current origin - frame-src to allow SlideShare, Vimeo and YouTube - script-src to the specific paths that are used by HedgeDoc to serve scripts. This explicitly does not include the /uploads route - style-src to the specific paths that are used by HedgeDoc to serve styles - Signed-off-by: David Mehren <git@herrmehren.de>		2021-08-15 00:22:30 +02:00
..
config	Fix unescaped line break in `git` output	2021-08-15 00:16:46 +02:00
migrations
models	Add help link and short explanation for failing migrations	2021-07-21 00:06:07 +02:00
ot
web	fix(image-upload): Fix swallowing of errors for filesystem	2021-08-14 20:04:08 +02:00
workers
csp.js	Tighten up default Content-Security-Policy	2021-08-15 00:22:30 +02:00
errors.js
history.js
letter-avatars.js
logger.js
prometheus.js
realtime.js
response.js
utils.js	Exclude /metrics and /status routes from session initialization	2021-07-20 23:56:54 +02:00