Improve the content security policy
This commit is contained in:
parent
d7b4f88d5e
commit
c5ef6404f5
4 changed files with 8 additions and 3 deletions
|
@ -66,3 +66,4 @@ Rails/SkipsModelValidations:
|
|||
Lint/PercentStringArray:
|
||||
Exclude:
|
||||
- 'config/initializers/secure_headers.rb'
|
||||
- 'app/controllers/site_controller.rb'
|
||||
|
|
|
@ -410,7 +410,8 @@ class ApplicationController < ActionController::Base
|
|||
def map_layout
|
||||
append_content_security_policy_directives(
|
||||
:connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
|
||||
:script_src => %w(graphhopper.com open.mapquestapi.com)
|
||||
:script_src => %w(graphhopper.com open.mapquestapi.com),
|
||||
:img_src => %w(developer.mapquest.com)
|
||||
)
|
||||
|
||||
request.xhr? ? "xhr" : "map"
|
||||
|
|
|
@ -72,7 +72,8 @@ class SiteController < ApplicationController
|
|||
if editor == "potlatch" || editor == "potlatch2"
|
||||
append_content_security_policy_directives(
|
||||
:object_src => %w(*),
|
||||
:plugin_types => %w(application/x-shockwave-flash)
|
||||
:plugin_types => %w(application/x-shockwave-flash),
|
||||
:script_src => %w('unsafe-inline')
|
||||
)
|
||||
end
|
||||
|
||||
|
|
|
@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
|
|||
:media_src => %w('none'),
|
||||
:object_src => %w('self'),
|
||||
:plugin_types => %w('none'),
|
||||
:script_src => %w('self' 'unsafe-inline'),
|
||||
:script_src => %w('self'),
|
||||
:style_src => %w('self' 'unsafe-inline'),
|
||||
:report_uri => [CSP_REPORT_URL]
|
||||
}
|
||||
|
@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
|
|||
SecureHeaders::OPT_OUT
|
||||
end
|
||||
|
||||
policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
|
||||
|
||||
SecureHeaders::Configuration.default do |config|
|
||||
config.csp = SecureHeaders::OPT_OUT
|
||||
config.csp_report_only = policy
|
||||
|
|
Loading…
Add table
Reference in a new issue