Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Enable Content Security Policy and fix violations (#645)
  • Loading branch information
Robert Clark committed Feb 19, 2021
1 parent 8a4b036 commit b61f723
Show file tree
Hide file tree
Showing 8 changed files with 49 additions and 48 deletions.
2 changes: 1 addition & 1 deletion app/assets/javascripts/application.js
Expand Up @@ -10,7 +10,7 @@
// WARNING: THE FIRST BLANK LINE MARKS THE END OF WHAT'S TO BE PROCESSED, ANY BLANK LINE SHOULD
// GO AFTER THE REQUIRES BELOW.
//
//= require jquery
//= require jquery3
//= require jquery_ujs
//= require_tree .
//= require jquery.nested-fields
Expand Down
31 changes: 31 additions & 0 deletions app/assets/javascripts/home.js.coffee
@@ -1,2 +1,33 @@
# Place all the behaviors and hooks related to the matching controller here.
# All this logic will automatically be available in application.js.

$(document).ready ->
clock = $('#time_remaining')
updateClock(clock)
setInterval(updateClock, 1000, clock)

countdown = (endTime) ->
diff = endTime - new Date()

diff = 0 if diff < 0
days = Math.floor(diff/1000/60/60/24)
diff -= days * 1000*60*60*24
hours = Math.floor(diff/1000/60/60)
diff -= hours * 1000*60*60
minutes = Math.floor(diff/1000/60)
diff -= minutes * 1000*60
seconds = Math.floor(diff/1000)
return {"days": days, "hours": hours, "minutes":minutes, "seconds":seconds}

updateClock = (clock_elem) ->
t = countdown(new Date(parseFloat(clock_elem.data('endtime'))))
clock_elem.text(
'Time Remaining: ' +
t.days + 'd ' +
t.hours + 'h ' +
t.minutes + 'm ' +
t.seconds + 's'
)
if t.total <= 0
clearInterval timeinterval
return
2 changes: 1 addition & 1 deletion app/views/challenges/show.html.haml
Expand Up @@ -34,7 +34,7 @@
= f.label t('challenges.submit_flag')
= f.text_field :submitted_flag, :class => "form-control col-sm-10"
.control-group
= invisible_recaptcha_tags text: 'Submit', :class => "btn btn-primary"
= invisible_recaptcha_tags nonce: content_security_policy_nonce, text: 'Submit', :class => "btn btn-primary"

- if @solved_by.length > 0
%table.table.table-bordered.table-striped.table-hover
Expand Down
26 changes: 1 addition & 25 deletions app/views/layouts/_countdown.html.haml
@@ -1,27 +1,3 @@
.pull-right#clock
%h4
#time_remaining

:coffeescript
countdown = (endTime) ->
diff = endTime - new Date()
diff = 0 if diff < 0
days = Math.floor(diff/1000/60/60/24)
diff -= days * 1000*60*60*24
hours = Math.floor(diff/1000/60/60)
diff -= hours * 1000*60*60
minutes = Math.floor(diff/1000/60)
diff -= minutes * 1000*60
seconds = Math.floor(diff/1000)
return {"days": days, "hours": hours, "minutes":minutes, "seconds":seconds}

updateClock = (clock_elem) ->
t = countdown(new Date(#{endTime.to_f * 1000}))
clock_elem.innerHTML = 'Time Remaining: ' + t.days + 'd ' + t.hours + 'h ' + t.minutes + 'm ' + t.seconds + 's'
if t.total <= 0
clearInterval timeinterval
return

clock = document.getElementById('time_remaining')
updateClock(clock)
setInterval(updateClock, 1000, clock)
#time_remaining{'data-endtime' => endTime.to_f * 1000}
3 changes: 2 additions & 1 deletion app/views/layouts/application.html.haml
Expand Up @@ -2,8 +2,9 @@
%html
%head
%title= @game&.title
= csp_meta_tag
= stylesheet_link_tag "application"
= javascript_include_tag "application"
= javascript_include_tag "application", nonce: true
= csrf_meta_tags
%body
= render partial: 'layouts/navbar'
Expand Down
1 change: 1 addition & 0 deletions config/initializers/chartkick.rb
@@ -0,0 +1 @@
Chartkick.options[:nonce] = true
30 changes: 10 additions & 20 deletions config/initializers/content_security_policy.rb
Expand Up @@ -4,27 +4,17 @@
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

# Rails.application.config.content_security_policy do |policy|
# policy.default_src :self, :https
# policy.font_src :self, :https, :data
# policy.img_src :self, :https, :data
# policy.object_src :none
# policy.script_src :self, :https
# policy.style_src :self, :https
# # If you are using webpack-dev-server then specify webpack-dev-server host
# policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?

# # Specify URI for violation reports
# # policy.report_uri "/csp-violation-report-endpoint"
# end
Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https
policy.style_src :unsafe_inline, :self, :https
end

# If you are using UJS then enable automatic nonce generation
# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

# Set the nonce only to specific directives
# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

# Report CSP violations to a specified URI
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# Rails.application.config.content_security_policy_report_only = true
Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
2 changes: 2 additions & 0 deletions config/initializers/rails_admin.rb
Expand Up @@ -12,6 +12,8 @@
# RailsAdmin may need a way to know who the current user is]
config.current_user_method(&:current_user) # auto-generated

config.show_gravatar = false

config.authorize_with do
redirect_to main_app.root_path unless current_user.try(:admin?)
end
Expand Down

0 comments on commit b61f723

Please sign in to comment.