csp: child-src is deprecated

2018-06-20 22:34:23 +02:00 · 2018-06-20 22:34:23 +02:00 · 9851210b90
parent b248fa7ce9
commit 9851210b90
2 changed files with 13 additions and 8 deletions
--- a/app/templating/AssetHelper.scala
+++ b/app/templating/AssetHelper.scala
@ -99,7 +99,8 @@ trait AssetHelper { self: I18nHelper =>
      connectSrc = List("'self'", assets, socket, socket + ":*", lila.api.Env.current.ExplorerEndpoint, lila.api.Env.current.TablebaseEndpoint),
      styleSrc = List("'self'", "'unsafe-inline'", assets, "https://fonts.googleapis.com"),
      fontSrc = List("'self'", assetDomain, "https://fonts.gstatic.com"),
-      childSrc = List("'self'", assets, "https://www.youtube.com"),
+      frameSrc = List("'self'", assets, "https://www.youtube.com"),
+      workerSrc = List("'self'", assets),
      imgSrc = List("data:", "*"),
      scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com")
    )
--- a/modules/common/src/main/ContentSecurityPolicy.scala
+++ b/modules/common/src/main/ContentSecurityPolicy.scala
@ -5,7 +5,8 @@ case class ContentSecurityPolicy(
    connectSrc: List[String],
    styleSrc: List[String],
    fontSrc: List[String],
-    childSrc: List[String],
+    frameSrc: List[String],
+    workerSrc: List[String],
    imgSrc: List[String],
    scriptSrc: List[String]
 ) {
@ -17,7 +18,7 @@ case class ContentSecurityPolicy(
  def withStripe = copy(
    connectSrc = "https://*.stripe.com" :: connectSrc,
    scriptSrc = "https://*.stripe.com" :: scriptSrc,
-    childSrc = "https://*.stripe.com" :: childSrc
+    frameSrc = "https://*.stripe.com" :: frameSrc
  )

  def withSpreadshirt = copy(
@ -25,7 +26,8 @@ case class ContentSecurityPolicy(
    connectSrc = "https://shop.spreadshirt.com" :: "https://api.spreadshirt.com" :: connectSrc,
    styleSrc = Nil,
    fontSrc = Nil,
-    childSrc = Nil,
+    frameSrc = Nil,
+    workerSrc = Nil,
    imgSrc = Nil,
    scriptSrc = Nil
  )
@ -35,19 +37,20 @@ case class ContentSecurityPolicy(
    connectSrc = "https://www.twitch.tv" :: "https://www-cdn.jtvnw.net" :: connectSrc,
    styleSrc = Nil,
    fontSrc = Nil,
-    childSrc = Nil,
+    frameSrc = Nil,
+    workerSrc = Nil,
    imgSrc = Nil,
    scriptSrc = Nil
  )

  def withTwitter = copy(
    scriptSrc = "https://platform.twitter.com" :: "https://*.twimg.com" :: scriptSrc,
-    childSrc = "https://platform.twitter.com" :: childSrc,
+    frameSrc = "https://platform.twitter.com" :: frameSrc,
    styleSrc = "https://platform.twitter.com" :: styleSrc
  )

  def withGoogleForm = copy(
-    childSrc = "https://docs.google.com" :: childSrc
+    frameSrc = "https://docs.google.com" :: frameSrc
  )

  override def toString: String =
@ -56,7 +59,8 @@ case class ContentSecurityPolicy(
      "connect-src " -> connectSrc,
      "style-src " -> styleSrc,
      "font-src " -> fontSrc,
-      "child-src " -> childSrc,
+      "frame-src " -> frameSrc,
+      "worker-src " -> workerSrc,
      "img-src " -> imgSrc,
      "script-src " -> scriptSrc
    ) collect {