Improve the content security policy

.rubocop.yml

@@ -66,3 +66,4 @@ Rails/SkipsModelValidations:
 Lint/PercentStringArray:
   Exclude:
     - 'config/initializers/secure_headers.rb'
+    - 'app/controllers/site_controller.rb'

app/controllers/application_controller.rb

@@ -410,7 +410,8 @@ class ApplicationController < ActionController::Base
   def map_layout
     append_content_security_policy_directives(
       :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
-      :script_src => %w(graphhopper.com open.mapquestapi.com)
+      :script_src => %w(graphhopper.com open.mapquestapi.com),
+      :img_src => %w(developer.mapquest.com)
     )
 
     request.xhr? ? "xhr" : "map"

app/controllers/site_controller.rb

@@ -72,7 +72,8 @@ class SiteController < ApplicationController
     if editor == "potlatch" || editor == "potlatch2"
       append_content_security_policy_directives(
         :object_src => %w(*),
-        :plugin_types => %w(application/x-shockwave-flash)
+        :plugin_types => %w(application/x-shockwave-flash),
+        :script_src => %w('unsafe-inline')
       )
     end
 

config/initializers/secure_headers.rb

@@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
              :media_src => %w('none'),
              :object_src => %w('self'),
              :plugin_types => %w('none'),
-             :script_src => %w('self' 'unsafe-inline'),
+             :script_src => %w('self'),
              :style_src => %w('self' 'unsafe-inline'),
              :report_uri => [CSP_REPORT_URL]
            }
@@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
            SecureHeaders::OPT_OUT
          end
 
+policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+
 SecureHeaders::Configuration.default do |config|
   config.csp = SecureHeaders::OPT_OUT
   config.csp_report_only = policy