Skip to content

Commit

Permalink
Merge pull request #2287 from manyfold3d/configure-csp
Browse files Browse the repository at this point in the history
Add Content-Security-Policy to increase security
  • Loading branch information
Floppy authored Jun 19, 2024
2 parents ac82174 + cfcdba1 commit 8187ccc
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 3 deletions.
4 changes: 2 additions & 2 deletions app/javascript/application.ts
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@

// Entry point for the build script in your package.json
import Rails from '@rails/ujs'
import $ from 'jquery'
window.$ = $ // Just needed for selectize
import $ from 'jquery' // Just needed for selectize

import 'masonry-layout'

Expand All @@ -18,6 +17,7 @@ import 'src/file_size_validation'
// Load i18n definitions
import { I18n } from 'i18n-js'
import locales from 'src/locales.json'
window.$ = $

Rails.start()

Expand Down
2 changes: 1 addition & 1 deletion app/views/layouts/application.html.erb
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
<%= csp_meta_tag %>
<%= favicon_link_tag "logo.png" %>
<%= javascript_include_tag "application", nonce: true %>
<%= stylesheet_link_tag "application" %>
<%= stylesheet_link_tag "application", nonce: true %>
</head>

<body>
Expand Down
19 changes: 19 additions & 0 deletions config/initializers/content_security_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,27 @@
# See the Securing Rails Applications Guide for more information:
# https://guides.rubyonrails.org/security.html#content-security-policy-header

# I'f we're using Scout DevTrace in local development, we need to allow a load
# of inline stuff, so we need to add that and disable the nonce generation

using_scout = (ENV.fetch("SCOUT_DEV_TRACE", false) === "true")

scout_csp = using_scout ? [
:unsafe_inline, "https://apm.scoutapp.com", "https://scoutapm.com"
] : []

Rails.application.configure do
config.content_security_policy do |policy|
policy.default_src :self
policy.frame_ancestors :self
policy.frame_src :none
policy.img_src(*([:self, :data] + scout_csp))
policy.object_src :none
policy.script_src(*([:self] + scout_csp))
policy.style_src(*([:self] + scout_csp))
end

unless using_scout
config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
end
end

0 comments on commit 8187ccc

Please sign in to comment.