45 lines
1.8 KiB
Ruby
45 lines
1.8 KiB
Ruby
# Be sure to restart your server when you modify this file.
|
|
|
|
# Define an application-wide content security policy.
|
|
# See the Securing Rails Applications Guide for more information:
|
|
# https://guides.rubyonrails.org/security.html#content-security-policy-header
|
|
|
|
Rails.application.configure do
|
|
connect_src = [:self]
|
|
img_src = [:self, :data, "www.gravatar.com", "*.wp.com", "tile.openstreetmap.org", "gps.tile.openstreetmap.org", "*.tile.thunderforest.com", "tile.tracestrack.com", "*.openstreetmap.fr"]
|
|
script_src = [:self]
|
|
|
|
connect_src << Settings.matomo["location"] if defined?(Settings.matomo)
|
|
img_src << Settings.matomo["location"] if defined?(Settings.matomo)
|
|
script_src << Settings.matomo["location"] if defined?(Settings.matomo)
|
|
|
|
img_src << Settings.avatar_storage_url if Settings.key?(:avatar_storage_url)
|
|
img_src << Settings.trace_image_storage_url if Settings.key?(:trace_image_storage_url)
|
|
|
|
config.content_security_policy do |policy|
|
|
policy.default_src :self
|
|
policy.child_src(:self)
|
|
policy.connect_src(*connect_src)
|
|
policy.font_src(:none)
|
|
policy.form_action(:self)
|
|
policy.frame_ancestors(:self)
|
|
policy.frame_src(:self)
|
|
policy.img_src(*img_src)
|
|
policy.manifest_src(:self)
|
|
policy.media_src(:none)
|
|
policy.object_src(:self)
|
|
policy.plugin_types
|
|
policy.script_src(*script_src)
|
|
policy.style_src(:self)
|
|
policy.worker_src(:none)
|
|
policy.manifest_src(:self)
|
|
policy.report_uri(Settings.csp_report_url) if Settings.key?(:csp_report_url)
|
|
end
|
|
|
|
# Generate session nonces for permitted importmap and inline scripts
|
|
config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(24) }
|
|
config.content_security_policy_nonce_directives = %w[style-src]
|
|
|
|
# Report violations without enforcing the policy.
|
|
config.content_security_policy_report_only = true unless Settings.csp_enforce
|
|
end
|