]> git.openstreetmap.org Git - rails.git/blob - config/initializers/content_security_policy.rb
Merge remote-tracking branch 'upstream/pull/5830'
[rails.git] / config / initializers / content_security_policy.rb
1 # Be sure to restart your server when you modify this file.
2
3 # Define an application-wide content security policy.
4 # See the Securing Rails Applications Guide for more information:
5 # https://guides.rubyonrails.org/security.html#content-security-policy-header
6
7 Rails.application.configure do
8   connect_src = [:self]
9   img_src = [:self, :data, "www.gravatar.com", "*.wp.com", "tile.openstreetmap.org", "gps.tile.openstreetmap.org", "*.tile.thunderforest.com", "tile.tracestrack.com", "*.openstreetmap.fr"]
10   script_src = [:self]
11
12   connect_src << Settings.matomo["location"] if defined?(Settings.matomo)
13   img_src << Settings.matomo["location"] if defined?(Settings.matomo)
14   script_src << Settings.matomo["location"] if defined?(Settings.matomo)
15
16   img_src << Settings.avatar_storage_url if Settings.key?(:avatar_storage_url)
17   img_src << Settings.trace_image_storage_url if Settings.key?(:trace_image_storage_url)
18
19   config.content_security_policy do |policy|
20     policy.default_src :self
21     policy.child_src(:self)
22     policy.connect_src(*connect_src)
23     policy.font_src(:none)
24     policy.form_action(:self)
25     policy.frame_ancestors(:self)
26     policy.frame_src(:self)
27     policy.img_src(*img_src)
28     policy.manifest_src(:self)
29     policy.media_src(:none)
30     policy.object_src(:self)
31     policy.plugin_types
32     policy.script_src(*script_src)
33     policy.style_src(:self)
34     policy.worker_src(:none)
35     policy.manifest_src(:self)
36     policy.report_uri(Settings.csp_report_url) if Settings.key?(:csp_report_url)
37   end
38
39   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
40   config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(24) }
41   config.content_security_policy_nonce_directives = %w[script-src style-src]
42
43   # Report violations without enforcing the policy.
44   config.content_security_policy_report_only = true unless Settings.csp_enforce
45 end