From d6f2de2fbf901f7045352024e077bc86ee38ae56 Mon Sep 17 00:00:00 2001 From: clemkeirua Date: Tue, 2 Jul 2019 09:40:38 +0200 Subject: [PATCH 1/2] enable static + activate csp in production --- config/environments/production.rb | 2 +- config/initializers/content_security_policy.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/environments/production.rb b/config/environments/production.rb index 3027c6cf6..0c93feb51 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -110,7 +110,7 @@ Rails.application.configure do } # The Content-Security-Policy is NOT in Report-Only mode - config.content_security_policy_report_only = true + config.content_security_policy_report_only = false config.lograge.enabled = ENV['LOGRAGE_ENABLED'] == 'enabled' end diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 86a32f221..e289980ba 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -14,7 +14,7 @@ Rails.application.config.content_security_policy do |policy| # c'est trop compliqué pour être rectifié immédiatement (et sans valeur ajoutée: # c'est hardcodé dans les vues, donc pas injectable). policy.style_src :self, "*.crisp.chat", "crisp.chat", :unsafe_inline - policy.connect_src :self, "wss://*.crisp.chat" + policy.connect_src :self, "wss://*.crisp.chat", "*.demarches-simplifiees.fr" # Pour tout le reste, par défaut on accepte uniquement ce qui vient de chez nous # et dans la notification on inclue la source de l'erreur policy.default_src :self, :data, :report_sample, "fonts.gstatic.com", "in-automate.sendinblue.com", "player.vimeo.com", "app.franceconnect.gouv.fr", "sentry.io", "static.demarches-simplifiees.fr", "*.crisp.chat", "crisp.chat", "*.sibautomation.com", "sibautomation.com", "data" From dfefb827d98a256846ba0ede2411a401f4bbce38 Mon Sep 17 00:00:00 2001 From: clemkeirua Date: Tue, 2 Jul 2019 10:49:33 +0200 Subject: [PATCH 2/2] missing connect-src --- config/initializers/content_security_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index e289980ba..9b0eaced5 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -14,7 +14,7 @@ Rails.application.config.content_security_policy do |policy| # c'est trop compliqué pour être rectifié immédiatement (et sans valeur ajoutée: # c'est hardcodé dans les vues, donc pas injectable). policy.style_src :self, "*.crisp.chat", "crisp.chat", :unsafe_inline - policy.connect_src :self, "wss://*.crisp.chat", "*.demarches-simplifiees.fr" + policy.connect_src :self, "wss://*.crisp.chat", "*.crisp.chat", "*.demarches-simplifiees.fr", "in-automate.sendinblue.com", "app.franceconnect.gouv.fr", "sentry.io" # Pour tout le reste, par défaut on accepte uniquement ce qui vient de chez nous # et dans la notification on inclue la source de l'erreur policy.default_src :self, :data, :report_sample, "fonts.gstatic.com", "in-automate.sendinblue.com", "player.vimeo.com", "app.franceconnect.gouv.fr", "sentry.io", "static.demarches-simplifiees.fr", "*.crisp.chat", "crisp.chat", "*.sibautomation.com", "sibautomation.com", "data"