<p dir="auto">When you write something like <code class="notranslate">allow_thirdparty_images :only => :index</code> you'd expect the CSP to be altered only on <code class="notranslate">index</code> action. But actually <code class="notranslate">:only => ...</code> was ignored and <code class="notranslate">allow_thirdparty_images</code> ran on all actions because <code class="notranslate">content_security_policy</code> didn't receive <code class="notranslate">options</code> correctly.</p>
<p dir="auto">Other <code class="notranslate">allow_</code> methods from <code class="notranslate">app/controllers/application_controller.rb</code> should be similarly fixed, except I haven't figured out whether they are required at all. For example <code class="notranslate">allow_all_form_action</code> in <code class="notranslate">app/controllers/oauth2_authorizations_controller.rb</code> came from <a class="commit-link" data-hovercard-type="commit" data-hovercard-url="https://github.com/openstreetmap/openstreetmap-website/commit/b96f3867e61dad3d7f14a0d8da01ea0cab1c83ec/hovercard" href="https://github.com/openstreetmap/openstreetmap-website/commit/b96f3867e61dad3d7f14a0d8da01ea0cab1c83ec"><tt>b96f386</tt></a>, but are redirects done using form actions? Forms in <code class="notranslate">app/views/oauth2_authorizations/new.html.erb</code> have actions pointing to the osm website.</p>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/openstreetmap/openstreetmap-website/pull/5469'>https://github.com/openstreetmap/openstreetmap-website/pull/5469</a></p>

<h4>Commit Summary</h4>
<ul>
  <li><a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469/commits/201796cced984aec11422518b1ff22ac6d94a873" class="commit-link">201796c</a>  Fix options passed by allow_thirdparty_images</li>
  <li><a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469/commits/11b887c11813a2734e775c27c636d231b29ea824" class="commit-link">11b887c</a>  Allow thirdparty images on failed diary comment saves</li>
</ul>

<h4 style="display: inline-block">File Changes </h4> <p style="display: inline-block">(<a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469/files">4 files</a>)</p>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469/files#diff-766c34fd6533171eaf54300c153f89d6002c35c02cfc9c5b219251f85180ad07">app/controllers/application_controller.rb</a>
    (2)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469/files#diff-3c862c4b76c5629c1aeb9076a68805579f475b14d126b8a9691ff9ae2e00f76e">app/controllers/diary_comments_controller.rb</a>
    (2)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469/files#diff-2c3b3662e44be71c024967a2cefccfd23f10c363eadb2985ff4896454b01845e">test/controllers/diary_comments_controller_test.rb</a>
    (1)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469/files#diff-2719d3c650da3c587f727ca3c105e6bc93a7113f85717bb15983543cf4f85ae5">test/controllers/users_controller_test.rb</a>
    (3)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/5469.patch'>https://github.com/openstreetmap/openstreetmap-website/pull/5469.patch</a></li>
  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/5469.diff'>https://github.com/openstreetmap/openstreetmap-website/pull/5469.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/5469">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLIM2XUDN3X3OTKY6C32JDNMNAVCNFSM6AAAAABUT3QWKSVHI2DSMVQWIX3LMV43ASLTON2WKOZSG43DSMJVGMYDSNI">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLJ5WWBKI7WAO2JQNID2JDNMNA5CNFSM6AAAAABUT3QWKSWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHKKDPMI4.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/5469</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/5469",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/5469",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>