X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/f11221f05bcdd05edd7a9f97d6d57e7baaeb4921..15c96081a6068c23aa660e8f366571c523a33d92:/app/controllers/application_controller.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 1df6dd7d1..7f9ab6ead 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -414,9 +414,9 @@ class ApplicationController < ActionController::Base
     append_content_security_policy_directives(
       :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
       :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112],
-      :connect_src => %w[nominatim.openstreetmap.org overpass-api.de router.project-osrm.org graphhopper.com],
+      :connect_src => [NOMINATIM_URL, OVERPASS_URL, OSRM_URL, GRAPHHOPPER_URL],
       :form_action => %w[render.openstreetmap.org],
-      :script_src => %w[open.mapquestapi.com],
+      :script_src => [MAPQUEST_DIRECTIONS_URL],
       :img_src => %w[developer.mapquest.com]
     )
 
@@ -483,9 +483,15 @@ class ApplicationController < ActionController::Base
       report_error t("oauth.permissions.missing"), :forbidden
     elsif current_user
       set_locale
-      report_error t("application.permission_denied"), :forbidden
+      respond_to do |format|
+        format.html { redirect_to :controller => "errors", :action => "forbidden" }
+        format.any { report_error t("application.permission_denied"), :forbidden }
+      end
     elsif request.get?
-      redirect_to :controller => "users", :action => "login", :referer => request.fullpath
+      respond_to do |format|
+        format.html { redirect_to :controller => "users", :action => "login", :referer => request.fullpath }
+        format.any { head :forbidden }
+      end
     else
       head :forbidden
     end