Switch to using rails builtin content security policy support

[rails.git] / app / controllers / export_controller.rb

diff --git a/app/controllers/export_controller.rb b/app/controllers/export_controller.rb
index 1b7beaad696dd8ca3503babaa26e67748a70e511..cddc97b6883e13044601c5b4a3a24b1f84d83f74 100644 (file)
--- a/app/controllers/export_controller.rb
+++ b/app/controllers/export_controller.rb
@@ -2,6 +2,11 @@ class ExportController < ApplicationController
   before_action :authorize_web
   before_action :set_locale
   before_action :update_totp, :only => [:finish]
+  authorize_resource :class => false
+
+  content_security_policy(:only => :embed) do |policy|
+    policy.frame_ancestors("*")
+  end
 
   caches_page :embed
 
@@ -10,16 +15,17 @@ class ExportController < ApplicationController
     bbox = BoundingBox.from_lon_lat_params(params)
     format = params[:format]
 
-    if format == "osm"
+    case format
+    when "osm"
       # redirect to API map get
-      redirect_to :controller => "api", :action => "map", :bbox => bbox
+      redirect_to :controller => "api/map", :action => "index", :bbox => bbox
 
-    elsif format == "mapnik"
+    when "mapnik"
       # redirect to a special 'export' cgi script
       format = params[:mapnik_format]
       scale = params[:mapnik_scale]
 
-      redirect_to "http://render.openstreetmap.org/cgi-bin/export?bbox=#{bbox}&scale=#{scale}&format=#{format}"
+      redirect_to "https://render.openstreetmap.org/cgi-bin/export?bbox=#{bbox}&scale=#{scale}&format=#{format}", :allow_other_host => true
     end
   end