Skip to content

Commit

Permalink
Allow CSP to be put in enforcing mode
Browse files Browse the repository at this point in the history
  • Loading branch information
@tomhughes
tomhughes committed May 22, 2018
1 parent b47c27b commit d82cc08
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 28 deletions.
2 changes: 2 additions & 0 deletions config/example.application.yml
View file
Expand Up @@ -120,6 +120,8 @@ defaults: &defaults
#thunderforest_key: ""
# Key for generating TOTP tokens
#totp_key: ""
# Enforce Content-Security-Policy
csp_enforce: false
# URL for reporting Content-Security-Policy violations
#csp_report_url: ""

Expand Down
63 changes: 35 additions & 28 deletions config/initializers/secure_headers.rb
View file
@@ -1,30 +1,27 @@
if defined?(CSP_REPORT_URL)
csp_policy = {
:preserve_schemes => true,
:default_src => %w['self'],
:child_src => %w['self'],
:connect_src => %w['self'],
:font_src => %w['none'],
:form_action => %w['self'],
:frame_ancestors => %w['self'],
:frame_src => %w['self'],
:img_src => %w['self' data: www.gravatar.com *.wp.com *.tile.openstreetmap.org *.tile.thunderforest.com *.openstreetmap.fr],
:manifest_src => %w['none'],
:media_src => %w['none'],
:object_src => %w['self'],
:plugin_types => %w[],
:script_src => %w['self'],
:style_src => %w['self'],
:worker_src => %w['none'],
:report_uri => [CSP_REPORT_URL]
}
csp_policy = {
:preserve_schemes => true,
:default_src => %w['self'],
:child_src => %w['self'],
:connect_src => %w['self'],
:font_src => %w['none'],
:form_action => %w['self'],
:frame_ancestors => %w['self'],
:frame_src => %w['self'],
:img_src => %w['self' data: www.gravatar.com *.wp.com *.tile.openstreetmap.org *.tile.thunderforest.com *.openstreetmap.fr],
:manifest_src => %w['none'],
:media_src => %w['none'],
:object_src => %w['self'],
:plugin_types => %w[],
:script_src => %w['self'],
:style_src => %w['self'],
:worker_src => %w['none'],
:report_uri => []
}

csp_policy[:connect_src] << PIWIK["location"] if defined?(PIWIK)
csp_policy[:img_src] << PIWIK["location"] if defined?(PIWIK)
csp_policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
else
csp_policy = SecureHeaders::OPT_OUT
end
csp_policy[:connect_src] << PIWIK["location"] if defined?(PIWIK)
csp_policy[:img_src] << PIWIK["location"] if defined?(PIWIK)
csp_policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
csp_policy[:report_uri] << CSP_REPORT_URL if defined?(CSP_REPORT_URL)

cookie_policy = {
:secure => SecureHeaders::OPT_OUT,
Expand All @@ -33,7 +30,17 @@

SecureHeaders::Configuration.default do |config|
config.hsts = SecureHeaders::OPT_OUT
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = csp_policy

if CSP_ENFORCE

This comment has been minimized.

Sign in to view

Copy link
@mmd-osm

mmd-osm May 22, 2018
edited

Contributor

This causes an error in my local installation: openstreetmap-website/config/initializers/secure_headers.rb:34:in block in <top (required)>': uninitialized constant CSP_ENFORCE (NameError). I can't run bundle exec rails server anymore.

Ah, ok, I need to update my application.yml to include csp_enforce: false

This comment has been minimized.

Sign in to view

Copy link
@tomhughes

tomhughes May 22, 2018

Author Member

You need to update your application.yml as there is a new setting.

This comment has been minimized.

Sign in to view

Copy link
@mmd-osm

mmd-osm May 22, 2018

Contributor

Yup, that's it. Thanks for the hint!
config.csp = csp_policy
config.csp_report_only = SecureHeaders::OPT_OUT
elsif defined?(CSP_REPORT_URL)
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = csp_policy
else
config.csp = SecureHeaders::OPT_OUT
config.csp_report_only = SecureHeaders::OPT_OUT
end

config.cookies = cookie_policy
end

0 comments on commit d82cc08

Please sign in to comment.