Age | Commit message (Collapse) | Author | |
---|---|---|---|
2022-10-26 | Add "unsafe-eval" to script-src CSP (#18817) | prplecake | |
2022-03-14 | Fix LetterOpennerWeb CSP (#17770) | Yamagishi Kazutoshi | |
2021-04-09 | Fix autoloading deprecation warnings from Rails 6 (#16010) | Eugen Rochko | |
2021-03-24 | Update Mastodon to Rails 6.1 (#15910) | Claire | |
* Update devise-two-factor to unreleased fork for Rails 6 support Update tests to match new `rotp` version. * Update nsa gem to unreleased fork for Rails 6 support * Update rails to 6.1.3 and rails-i18n to 6.0 * Update to unreleased fork of pluck_each for Ruby 6 support * Run "rails app:update" * Add missing ActiveStorage config file * Use config.ssl_options instead of removed ApplicationController#force_ssl Disabled force_ssl-related tests as they do not seem to be easily testable anymore. * Fix nonce directives by removing Rails 5 specific monkey-patching * Fix fixture_file_upload deprecation warning * Fix yield-based test failing with Rails 6 * Use Rails 6's index_with when possible * Use ActiveRecord::Cache::Store#delete_multi from Rails 6 This will yield better performances when deleting an account * Disable Rails 6.1's automatic preload link headers Since Rails 6.1, ActionView adds preload links for javascript files in the Links header per default. In our case, that will bloat headers too much and potentially cause issues with reverse proxies. Furhermore, we don't need those links, as we already output them as HTML link tags. * Switch to Rails 6.0 default config * Switch to Rails 6.1 default config * Do not include autoload paths in the load path | |||
2020-07-07 | Fix hashtag column options styling (#14247) | ThibG | |
* Enable nonces for stylesheets * Pass nonce to react-select | |||
2020-05-08 | Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679) | ThibG | |
* Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src | |||
2020-05-04 | Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) | ThibG | |
2020-03-27 | Fix OCR not working on Safari because of unsupported worker-src CSP (#13323) | ThibG | |
Fixes #13321 | |||
2019-08-19 | Fix CSP needlessly allowing blob URLs in script-src (#11620) | ThibG | |
2019-08-16 | Fix media host not being included in connect-src for OCR (#11577) | Eugen Rochko | |
2019-08-15 | Add OCR tool to media editing modal (#11566) | Eugen Rochko | |
2018-10-12 | Add manifest_src to CSP, add blob to connect_src (#8967) | ThibG | |
2018-10-12 | Fix CSP headers blocking media and development environment (#8962) | Eugen Rochko | |
Regression from #8957 | |||
2018-10-11 | Set Content-Security-Policy rules through RoR's config (#8957) | ThibG | |
* Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames | |||
2018-04-12 | Upgrade Rails to version 5.2.0 (#5898) | Yamagishi Kazutoshi | |