From b37e1b19c31620a87d0ca63d1b83d63d0547ca60 Mon Sep 17 00:00:00 2001
From: Sebastian Serth <Sebastian.Serth@hpi.de>
Date: Sat, 13 Apr 2024 19:58:31 +0200
Subject: [PATCH] Update Content Security Policy and enable Sandbox

- Add new directives
- Remove deprecated options
- Enable Sandbox
---
 .../initializers/content_security_policy.rb   | 30 ++++++++++++++++---
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 8d14018d..2cfbb13a 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -48,22 +48,44 @@ Rails.application.configure do
     policy.default_src          :none
     policy.base_uri             :self
     policy.font_src             :self
-    # Code executions might return a base64 encoded image as a :data URI and ACE uses :data URIs for images
+    # Code executions might return a base64 encoded image as a :data URI
     policy.img_src              :self, :data
     policy.object_src           :none
     policy.media_src            :self
+    policy.script_src_elem      :self, :report_sample
+    policy.script_src_attr      :none
+    # The `script_src` directive is only a fallback for browsers not supporting `script_src_elem` and `script_src_attr`.
     policy.script_src           :self, :report_sample
-    # Our ACE editor unfortunately requires :unsafe_inline for the code highlighting
+    # Some dependencies add new styles to the DOM dynamically, requiring :unsafe-inline.
+    # Currently, these include turbolinks, and vis.js.
+    policy.style_src_elem       :self, :unsafe_inline, :report_sample
+    # We still use some inline styles within the application, and indirectly through d3.js.
+    policy.style_src_attr       :unsafe_inline, :report_sample
+    # The `style_src` directive is only a fallback for browsers not supporting `style_src_elem` and `style_src_attr`.
     policy.style_src            :self, :unsafe_inline, :report_sample
     policy.connect_src          :self
-    # Our ACE editor uses web workers to highlight code, preferably via URL or otherwise with a blob.
-    policy.child_src            :self, :blob
+    # Web workers are used by the ACE editor (for syntax highlighting) and JStree (for processing trees).
+    # Those dependencies are loading further code via blobs.
+    policy.worker_src           :self, :blob
     policy.form_action          :self
     policy.frame_ancestors      :none
+    policy.frame_src            :none
+    policy.manifest_src         :none
+
+    # Trusted Types are not yet added to the application, thus we cannot enforce them.
+    # policy.require_trusted_types_for :script
+    # policy.trusted_types       'example'
 
     # Specify URI for violation reports
     policy.report_uri           SentryCsp.report_url if SentryCsp.active?
 
+    # We want to apply a default sandbox to our page, just allowing a few features.
+    # These values also apply to popups rendering user code with the `render_host`.
+    # Thus, rendered pages still miss some features, e.g., `allow-popups-to-escape-sandbox`, `allow-top-navigation`
+    # Despite restricting the sandbox as much as possible, Chrome warns:
+    # "An iframe which has both allow-scripts and allow-same-origin for its sandbox attribute can escape its sandboxing."
+    policy.sandbox              'allow-downloads', 'allow-forms', 'allow-modals', 'allow-popups', 'allow-same-origin', 'allow-scripts'
+
     CSP.apply_yml_settings_for      policy
     CSP.apply_sentry_settings_for   policy if SentryJavascript.active?
   end