Improve the content security policy
authorTom Hughes <tom@compton.nu>
Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
committerTom Hughes <tom@compton.nu>
Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
.rubocop.yml
app/controllers/application_controller.rb
app/controllers/site_controller.rb
config/initializers/secure_headers.rb

index 5bae96c..a31adf0 100644 (file)
@@ -66,3 +66,4 @@ Rails/SkipsModelValidations:
 Lint/PercentStringArray:
   Exclude:
     - 'config/initializers/secure_headers.rb'
+    - 'app/controllers/site_controller.rb'
index 26bb92f..ff3f67e 100644 (file)
@@ -410,7 +410,8 @@ class ApplicationController < ActionController::Base
   def map_layout
     append_content_security_policy_directives(
       :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
-      :script_src => %w(graphhopper.com open.mapquestapi.com)
+      :script_src => %w(graphhopper.com open.mapquestapi.com),
+      :img_src => %w(developer.mapquest.com)
     )
 
     request.xhr? ? "xhr" : "map"
index 353feec..b055232 100644 (file)
@@ -72,7 +72,8 @@ class SiteController < ApplicationController
     if editor == "potlatch" || editor == "potlatch2"
       append_content_security_policy_directives(
         :object_src => %w(*),
-        :plugin_types => %w(application/x-shockwave-flash)
+        :plugin_types => %w(application/x-shockwave-flash),
+        :script_src => %w('unsafe-inline')
       )
     end
 
index 13db365..cd428d7 100644 (file)
@@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
              :media_src => %w('none'),
              :object_src => %w('self'),
              :plugin_types => %w('none'),
-             :script_src => %w('self' 'unsafe-inline'),
+             :script_src => %w('self'),
              :style_src => %w('self' 'unsafe-inline'),
              :report_uri => [CSP_REPORT_URL]
            }
@@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
            SecureHeaders::OPT_OUT
          end
 
+policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+
 SecureHeaders::Configuration.default do |config|
   config.csp = SecureHeaders::OPT_OUT
   config.csp_report_only = policy