htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e6e2d2977864248b7fbc12f88ceb3a81af916307
codeocean/config/initializers/content_security_policy.rb
dependabot[bot] 90b30e2bf7 Upgrade to Rails 7.0 and apply new framework defaults 
* Remove `send_stream` method pulled in before upgrading Rails
* Remove spring, it is no longer included by default for new apps
* Remove deprecated options from environments
* Remove old asset paths and workarounds no longer needed
* Remove unnecessary `OAUTH_10_SUPPORT` const, LTI still uses OAuth 1.0
* Dump schema with new defaults (and specify precision for timestamps where needed)
2022-12-04 15:21:59 +01:00

68 lines
2.6 KiB
Ruby
Raw Blame History

# frozen_string_literal: true
# Be sure to restart your server when you modify this file.
# Define an application-wide content security policy.
# See the Securing Rails Applications Guide for more information:
# https://guides.rubyonrails.org/security.html#content-security-policy-header
require_relative 'sentry_csp'
require_relative 'sentry_javascript'
module CSP
def self.apply_yml_settings_for(policy)
csp_settings = CodeOcean::Config.new(:content_security_policy)
csp_settings.read.each do |directive, additional_settings|
existing_settings = if directive == 'report_uri'
''
else
policy.public_send(directive) || []
end
all_settings = existing_settings + additional_settings
policy.public_send(directive, *all_settings)
end
end
def self.apply_sentry_settings_for(policy)
sentry_domain = URI.parse SentryJavascript.dsn
additional_setting = "#{sentry_domain.scheme}://#{sentry_domain.host}"
existing_settings = policy.connect_src || []
all_settings = existing_settings + [additional_setting]
policy.connect_src(*all_settings)
end
end
Rails.application.configure do
config.content_security_policy do |policy|
policy.default_src :none
policy.base_uri :self
policy.font_src :self
# Code executions might return a base64 encoded image as a :data URI
policy.img_src :self, :data
policy.object_src :none
policy.media_src :self
policy.script_src :self, :report_sample
# Our ACE editor unfortunately requires :unsafe_inline for the code highlighting
policy.style_src :self, :unsafe_inline, :report_sample
policy.connect_src :self
# Our ACE editor uses web workers to highlight code, preferably via URL or otherwise with a blob.
policy.child_src :self, :blob
policy.form_action :self
policy.frame_ancestors :none
# Specify URI for violation reports
policy.report_uri SentryCsp.report_url if SentryCsp.active?
CSP.apply_yml_settings_for policy
CSP.apply_sentry_settings_for policy if SentryJavascript.active?
end
# Generate session nonces for permitted importmap and inline scripts
# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
# config.content_security_policy_nonce_directives = %w[script-src]
# Report violations without enforcing the policy
# config.content_security_policy_report_only = true
end
Reference in New Issue View Git Blame Copy Permalink