Improve the content security policy

author Tom Hughes <tom@compton.nu>

Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)

committer Tom Hughes <tom@compton.nu>

Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
author Tom Hughes <tom@compton.nu>
Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
committer Tom Hughes <tom@compton.nu>
Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
diff --git a/.rubocop.yml b/.rubocop.yml

index 5bae96caa33e1f8d40c1c85284247d442eb87833..a31adf03bed73486bfb2c7f532ab61aad0cad8e3 100644 (file)
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -66,3 +66,4 @@ Rails/SkipsModelValidations:
  Lint/PercentStringArray:
    Exclude:
      - 'config/initializers/secure_headers.rb'
+    - 'app/controllers/site_controller.rb'
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 26bb92f9af78b8685f8fa9356428a5b5a269595b..ff3f67efd975d46d76312a35f97fcf44c7899df9 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -410,7 +410,8 @@ class ApplicationController < ActionController::Base
    def map_layout
      append_content_security_policy_directives(
        :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
-      :script_src => %w(graphhopper.com open.mapquestapi.com)
+      :script_src => %w(graphhopper.com open.mapquestapi.com),
+      :img_src => %w(developer.mapquest.com)
      )
  
      request.xhr? ? "xhr" : "map"
diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb

index 353feecefe32ae21062597d2ee7d9cfb2c137b0c..b0552322ed6d808efbf7a82bae2e001eb9b104fc 100644 (file)
--- a/app/controllers/site_controller.rb
+++ b/app/controllers/site_controller.rb
@@ -72,7 +72,8 @@ class SiteController < ApplicationController
      if editor == "potlatch" || editor == "potlatch2"
        append_content_security_policy_directives(
          :object_src => %w(*),
-        :plugin_types => %w(application/x-shockwave-flash)
+        :plugin_types => %w(application/x-shockwave-flash),
+        :script_src => %w('unsafe-inline')
        )
      end
  
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb

index 13db365099a9eeacd1fa0dc1aa4376196728a5e0..cd428d7dd2a9084de15f367c45d7ac512540e175 100644 (file)
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
               :media_src => %w('none'),
               :object_src => %w('self'),
               :plugin_types => %w('none'),
-             :script_src => %w('self' 'unsafe-inline'),
+             :script_src => %w('self'),
               :style_src => %w('self' 'unsafe-inline'),
               :report_uri => [CSP_REPORT_URL]
             }
@@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
             SecureHeaders::OPT_OUT
           end
  
+policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+
  SecureHeaders::Configuration.default do |config|
    config.csp = SecureHeaders::OPT_OUT
    config.csp_report_only = policy
author	Tom Hughes <tom@compton.nu>
	Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
committer	Tom Hughes <tom@compton.nu>
	Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
.rubocop.yml		patch \| blob \| history
app/controllers/application_controller.rb		patch \| blob \| history
app/controllers/site_controller.rb		patch \| blob \| history
config/initializers/secure_headers.rb		patch \| blob \| history