When you write something like `allow_thirdparty_images :only => :index` you'd expect the CSP to be altered only on `index` action. But actually `:only => ...` was ignored and `allow_thirdparty_images` ran on all actions because `content_security_policy` didn't receive `options` correctly.
Other `allow_` methods from `app/controllers/application_controller.rb` should be similarly fixed, except I haven't figured out whether they are required at all. For example `allow_all_form_action` in `app/controllers/oauth2_authorizations_controller.rb` came from https://github.com/openstreetmap/openstreetmap-website/commit/b96f3867e61dad3d7f14a0d8da01ea0cab1c83ec, but are redirects done using form actions? Forms in `app/views/oauth2_authorizations/new.html.erb` have actions pointing to the osm website. You can view, comment on, or merge this pull request online at: https://github.com/openstreetmap/openstreetmap-website/pull/5469 -- Commit Summary -- * Fix options passed by allow_thirdparty_images * Allow thirdparty images on failed diary comment saves -- File Changes -- M app/controllers/application_controller.rb (2) M app/controllers/diary_comments_controller.rb (2) M test/controllers/diary_comments_controller_test.rb (1) M test/controllers/users_controller_test.rb (3) -- Patch Links -- https://github.com/openstreetmap/openstreetmap-website/pull/5469.patch https://github.com/openstreetmap/openstreetmap-website/pull/5469.diff -- Reply to this email directly or view it on GitHub: https://github.com/openstreetmap/openstreetmap-website/pull/5469 You are receiving this because you are subscribed to this thread. Message ID: <openstreetmap/openstreetmap-website/pull/5...@github.com>
_______________________________________________ rails-dev mailing list rails-dev@openstreetmap.org https://lists.openstreetmap.org/listinfo/rails-dev
