Add a Content Security Policy
This commit is contained in:
18
config/content_security_policy.yml.ci
Normal file
18
config/content_security_policy.yml.ci
Normal file
@ -0,0 +1,18 @@
|
||||
default: &default
|
||||
default_src: []
|
||||
|
||||
|
||||
development:
|
||||
<<: *default
|
||||
# Allow the webpack-dev-server in development
|
||||
connect_src:
|
||||
- http://localhost:3035
|
||||
- ws://localhost:3035
|
||||
|
||||
|
||||
production:
|
||||
<<: *default
|
||||
|
||||
|
||||
test:
|
||||
<<: *default
|
29
config/content_security_policy.yml.example
Normal file
29
config/content_security_policy.yml.example
Normal file
@ -0,0 +1,29 @@
|
||||
# This file allows to further customize the Content Security Policy (CSP)
|
||||
# All settings will be applied **in addition** to the application CSP
|
||||
# Default directives are defined here: `initializers/content_security_policy.rb`
|
||||
|
||||
default: &default
|
||||
# Allow the S3 service hosted by the openHPI Cloud to be used for images
|
||||
img_src:
|
||||
- https://s3.xopic.de
|
||||
- https://*.s3.xopic.de
|
||||
- https://s3.openhpicloud.de
|
||||
- https://*.s3.openhpicloud.de
|
||||
# Optionally: Specify a custom, non-Sentry URL for reporting CSP violations
|
||||
# report_uri: https://example.com/csp-report
|
||||
|
||||
|
||||
development:
|
||||
<<: *default
|
||||
# Allow the webpack-dev-server in development
|
||||
connect_src:
|
||||
- http://localhost:3035
|
||||
- ws://localhost:3035
|
||||
|
||||
|
||||
production:
|
||||
<<: *default
|
||||
|
||||
|
||||
test:
|
||||
<<: *default
|
@ -6,28 +6,57 @@
|
||||
# For further information see the following documentation
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
||||
|
||||
# Rails.application.config.content_security_policy do |policy|
|
||||
# # If you are using webpack-dev-server then specify webpack-dev-server host
|
||||
# policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
|
||||
require_relative 'sentry_csp'
|
||||
require_relative 'sentry_javascript'
|
||||
|
||||
# policy.default_src :self, :https
|
||||
# policy.font_src :self, :https, :data
|
||||
# policy.img_src :self, :https, :data
|
||||
# policy.object_src :none
|
||||
# policy.script_src :self, :https
|
||||
# policy.style_src :self, :https
|
||||
# # If you are using webpack-dev-server then specify webpack-dev-server host
|
||||
# policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
|
||||
def self.apply_yml_settings_for(policy)
|
||||
csp_settings = CodeOcean::Config.new(:content_security_policy)
|
||||
|
||||
# # Specify URI for violation reports
|
||||
# # policy.report_uri "/csp-violation-report-endpoint"
|
||||
# end
|
||||
csp_settings.read.each do |directive, additional_settings|
|
||||
existing_settings = if directive == 'report_uri'
|
||||
''
|
||||
else
|
||||
policy.public_send(directive) || []
|
||||
end
|
||||
all_settings = existing_settings + additional_settings
|
||||
policy.public_send(directive, *all_settings)
|
||||
end
|
||||
end
|
||||
|
||||
def self.apply_sentry_settings_for(policy)
|
||||
sentry_domain = URI.parse SentryJavascript.dsn
|
||||
additional_setting = "#{sentry_domain.scheme}://#{sentry_domain.host}"
|
||||
existing_settings = policy.connect_src || []
|
||||
all_settings = existing_settings + [additional_setting]
|
||||
policy.connect_src(*all_settings)
|
||||
end
|
||||
|
||||
Rails.application.config.content_security_policy do |policy|
|
||||
policy.default_src :none
|
||||
policy.base_uri :none
|
||||
policy.font_src :self
|
||||
# Code executions might return a base64 encoded image as a :data URI
|
||||
policy.img_src :self, :data
|
||||
policy.object_src :none
|
||||
policy.script_src :self, :report_sample
|
||||
# Our ACE editor unfortunately requires :unsafe_inline for the code highlighting
|
||||
policy.style_src :self, :unsafe_inline, :report_sample
|
||||
policy.connect_src :self
|
||||
policy.form_action :self
|
||||
policy.frame_ancestors :none
|
||||
|
||||
# Specify URI for violation reports
|
||||
policy.report_uri SentryCsp.report_url if SentryCsp.active?
|
||||
|
||||
apply_yml_settings_for policy
|
||||
apply_sentry_settings_for policy if SentryJavascript.active?
|
||||
end
|
||||
|
||||
# If you are using UJS then enable automatic nonce generation
|
||||
# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
|
||||
Rails.application.config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
|
||||
|
||||
# Set the nonce only to specific directives
|
||||
# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
|
||||
Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
|
||||
|
||||
# Report CSP violations to a specified URI
|
||||
# For further information see the following documentation:
|
||||
|
40
config/initializers/sentry_csp.rb
Normal file
40
config/initializers/sentry_csp.rb
Normal file
@ -0,0 +1,40 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require_relative 'sentry'
|
||||
|
||||
class SentryCsp
|
||||
def self.active?
|
||||
dsn.present? && %w[development test].exclude?(environment)
|
||||
end
|
||||
|
||||
def self.report_url
|
||||
parsed_url = URI.parse dsn
|
||||
|
||||
# Add additional variables to the query string
|
||||
query_params = CGI.parse(parsed_url.query || '')
|
||||
query_params[:sentry_release] = release if release
|
||||
query_params[:sentry_environment] = environment if environment
|
||||
|
||||
# Add the query string back to the URL
|
||||
parsed_url.query = URI.encode_www_form(query_params)
|
||||
|
||||
# Return the full URL
|
||||
parsed_url.to_s
|
||||
end
|
||||
|
||||
class << self
|
||||
private
|
||||
|
||||
def dsn
|
||||
ENV.fetch('SENTRY_CSP_REPORT_URL', nil)
|
||||
end
|
||||
|
||||
def release
|
||||
Sentry.configuration.release
|
||||
end
|
||||
|
||||
def environment
|
||||
Sentry.configuration.environment
|
||||
end
|
||||
end
|
||||
end
|
@ -1,5 +1,7 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
require_relative 'sentry'
|
||||
|
||||
class SentryJavascript
|
||||
def self.active?
|
||||
dsn.present? && %w[development test].exclude?(environment)
|
||||
|
Reference in New Issue
Block a user