Disallow any external resources for :render_file

2022-09-03 21:42:27 +02:00
parent a2bb2844b4
commit b6d8c7175b
1 changed files with 10 additions and 0 deletions
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@ -14,6 +14,16 @@ class SubmissionsController < ApplicationController
  before_action :set_files_and_specific_file, only: %i[download_file render_file run test]
  before_action :set_mime_type, only: %i[download_file render_file]

+  # Overwrite the CSP header for the :render_file action
+  content_security_policy only: :render_file do |policy|
+    policy.img_src        :none
+    policy.script_src     :none
+    policy.font_src       :none
+    policy.style_src      :none
+    policy.connect_src    :none
+    policy.form_action    :none
+  end
+
  def create
    @submission = Submission.new(submission_params)
    authorize!