Improve the content security policy

This commit is contained in:
Tom Hughes 2017-03-01 22:38:24 +00:00
parent d7b4f88d5e
commit c5ef6404f5
4 changed files with 8 additions and 3 deletions

View file

@ -66,3 +66,4 @@ Rails/SkipsModelValidations:
Lint/PercentStringArray:
Exclude:
- 'config/initializers/secure_headers.rb'
- 'app/controllers/site_controller.rb'

View file

@ -410,7 +410,8 @@ class ApplicationController < ActionController::Base
def map_layout
append_content_security_policy_directives(
:connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
:script_src => %w(graphhopper.com open.mapquestapi.com)
:script_src => %w(graphhopper.com open.mapquestapi.com),
:img_src => %w(developer.mapquest.com)
)
request.xhr? ? "xhr" : "map"

View file

@ -72,7 +72,8 @@ class SiteController < ApplicationController
if editor == "potlatch" || editor == "potlatch2"
append_content_security_policy_directives(
:object_src => %w(*),
:plugin_types => %w(application/x-shockwave-flash)
:plugin_types => %w(application/x-shockwave-flash),
:script_src => %w('unsafe-inline')
)
end

View file

@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
:media_src => %w('none'),
:object_src => %w('self'),
:plugin_types => %w('none'),
:script_src => %w('self' 'unsafe-inline'),
:script_src => %w('self'),
:style_src => %w('self' 'unsafe-inline'),
:report_uri => [CSP_REPORT_URL]
}
@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
SecureHeaders::OPT_OUT
end
policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
SecureHeaders::Configuration.default do |config|
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = policy