From: Tom Hughes <tom@compton.nu>
Date: Wed, 1 Mar 2017 22:38:24 +0000 (+0000)
Subject: Improve the content security policy
X-Git-Tag: live~3577
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/c5ef6404f5782c8305f9d1d25d2c99a545cdd9a1

Improve the content security policy
---

diff --git a/.rubocop.yml b/.rubocop.yml
index 5bae96caa..a31adf03b 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -66,3 +66,4 @@ Rails/SkipsModelValidations:
 Lint/PercentStringArray:
   Exclude:
     - 'config/initializers/secure_headers.rb'
+    - 'app/controllers/site_controller.rb'
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 26bb92f9a..ff3f67efd 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -410,7 +410,8 @@ class ApplicationController < ActionController::Base
   def map_layout
     append_content_security_policy_directives(
       :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
-      :script_src => %w(graphhopper.com open.mapquestapi.com)
+      :script_src => %w(graphhopper.com open.mapquestapi.com),
+      :img_src => %w(developer.mapquest.com)
     )
 
     request.xhr? ? "xhr" : "map"
diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb
index 353feecef..b0552322e 100644
--- a/app/controllers/site_controller.rb
+++ b/app/controllers/site_controller.rb
@@ -72,7 +72,8 @@ class SiteController < ApplicationController
     if editor == "potlatch" || editor == "potlatch2"
       append_content_security_policy_directives(
         :object_src => %w(*),
-        :plugin_types => %w(application/x-shockwave-flash)
+        :plugin_types => %w(application/x-shockwave-flash),
+        :script_src => %w('unsafe-inline')
       )
     end
 
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
index 13db36509..cd428d7dd 100644
--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
              :media_src => %w('none'),
              :object_src => %w('self'),
              :plugin_types => %w('none'),
-             :script_src => %w('self' 'unsafe-inline'),
+             :script_src => %w('self'),
              :style_src => %w('self' 'unsafe-inline'),
              :report_uri => [CSP_REPORT_URL]
            }
@@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
            SecureHeaders::OPT_OUT
          end
 
+policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+
 SecureHeaders::Configuration.default do |config|
   config.csp = SecureHeaders::OPT_OUT
   config.csp_report_only = policy