[openstreetmap/openstreetmap-website] Fix allow_thirdparty_images options (PR #5469)

[Anton Khorev]

When you write something like `allow_thirdparty_images :only => :index` you'd expect the CSP to be altered only on `index` action. But actually `:only => ...` was ignored and `allow_thirdparty_images` ran on all actions because `content_security_policy` didn't receive `options` correctly.

Other `allow_` methods from `app/controllers/application_controller.rb` should be similarly fixed, except I haven't figured out whether they are required at all. For example `allow_all_form_action` in `app/controllers/oauth2_authorizations_controller.rb` came from https://github.com/openstreetmap/openstreetmap-website/commit/b96f3867e61dad3d7f14a0d8da01ea0cab1c83ec, but are redirects done using form actions? Forms in `app/views/oauth2_authorizations/new.html.erb` have actions pointing to the osm website.
You can view, comment on, or merge this pull request online at:

  https://github.com/openstreetmap/openstreetmap-website/pull/5469

-- Commit Summary --

  * Fix options passed by allow_thirdparty_images
  * Allow thirdparty images on failed diary comment saves

-- File Changes --

    M app/controllers/application_controller.rb (2)
    M app/controllers/diary_comments_controller.rb (2)
    M test/controllers/diary_comments_controller_test.rb (1)
    M test/controllers/users_controller_test.rb (3)

-- Patch Links --

https://github.com/openstreetmap/openstreetmap-website/pull/5469.patch
https://github.com/openstreetmap/openstreetmap-website/pull/5469.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/5469
You are receiving this because you are subscribed to this thread.

Message ID: <openstreetmap/openstreetmap-website/pull/5469 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20250104/ea96bf4d/attachment-0001.htm>