Merge pull request #1490 from noesya/csp

Ajout de CSP
osunyorg · Dec 8, 2023 · 05de495 · 05de495
2 parents 32d54a9 + 51d89d4
commit 05de495
Show file tree

Hide file tree

Showing 19 changed files with 117 additions and 72 deletions.
diff --git a/app/assets/javascripts/leaflet.js b/app/assets/javascripts/leaflet.js
@@ -0,0 +1 @@
+//= require leaflet/dist/leaflet.js
diff --git a/app/assets/stylesheets/admin/commons/sidebar.sass b/app/assets/stylesheets/admin/commons/sidebar.sass
@@ -0,0 +1,2 @@
+.sidebar-icon
+    min-width: 30px
diff --git a/app/assets/stylesheets/leaflet.sass b/app/assets/stylesheets/leaflet.sass
@@ -0,0 +1 @@
+@import 'leaflet/dist/leaflet'
diff --git a/app/views/admin/communication/blocks/edit.html.erb b/app/views/admin/communication/blocks/edit.html.erb
@@ -43,7 +43,7 @@
 <%# Include vue.js before call Vue.createApp %>
 <%= javascript_include_tag 'vue' %>
 
-<script>
+<script nonce="<%= request.content_security_policy_nonce %>">
   var app = Vue.createApp({
     components: {
       draggable: VueDraggableNext.VueDraggableNext,

diff --git a/app/views/admin/communication/blocks/templates/organizations/_show.html.erb b/app/views/admin/communication/blocks/templates/organizations/_show.html.erb
@@ -25,14 +25,8 @@
       <% if block.template.layout == "grid" %>
         <div class="organizations grid">
       <% else # Map %>
+        <% content_for :leaflet_required, true %>
         <div class="map" data-marker-icon="<%= image_path 'map-marker.svg' %>">
-          <link   rel="stylesheet"
-                  href="https://unpkg.com/leaflet@1.9.3/dist/leaflet.css"
-                  integrity="sha256-kLaT2GOSpHechhsozzB+flnD+zUyjE2LlfWPgU04xyI="
-                  crossorigin=""/>
-          <script src="https://unpkg.com/leaflet@1.9.3/dist/leaflet.js"
-                  integrity="sha256-WBkoXOwTeyKclOHuWtc+i2uENFpDZ9YPdf5Hf+D7ewM="
-                  crossorigin=""></script>
       <% end %>
         <% block.template.elements.each do |element| %>
           <article  class="organization"

diff --git a/app/views/admin/communication/extranets/_sidebar.html.erb b/app/views/admin/communication/extranets/_sidebar.html.erb
@@ -25,7 +25,7 @@
       %>
         <li class="mb-3">
           <a class="d-block py-1 <%= active ? 'text-black' : 'text-muted' %>" href="<%= object[:path] %>">
-            <i class="<%= object[:icon] %>" style="min-width: 30px"></i>
+            <i class="sidebar-icon <%= object[:icon] %>"></i>
             <%= object[:title].html_safe %>
           </a>
         </li>

diff --git a/app/views/admin/communication/photo_imports/_selector.html.erb b/app/views/admin/communication/photo_imports/_selector.html.erb
@@ -157,7 +157,7 @@ pexels_path = admin_communication_pexels_path(website_id: nil, extranet_id: nil,
 <%# Include vue.js before call Vue.createApp %>
 <%= javascript_include_tag 'vue' %>
 
-<script>
+<script nonce="<%= request.content_security_policy_nonce %>">
   var app = Vue.createApp({
     data() {
       return {

diff --git a/app/views/admin/communication/websites/_sidebar.html.erb b/app/views/admin/communication/websites/_sidebar.html.erb
@@ -52,7 +52,7 @@
       %>
         <li class="mb-3">
           <a class="d-block py-1 <%= active ? 'text-black' : 'text-muted' %>" href="<%= object[:path] %>">
-            <i class="<%= object[:icon] %>" style="min-width: 30px"></i>
+            <i class="sidebar-icon <%= object[:icon] %>"></i>
             <%= object[:title].html_safe %>
           </a>
         </li>

diff --git a/app/views/admin/layouts/application.html.erb b/app/views/admin/layouts/application.html.erb
@@ -6,7 +6,7 @@
     <title><%= content_for?(:title) ? raw("#{yield(:title)} ∙ Osuny") : 'Osuny' %></title>
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <script>
+    <script nonce="<%= request.content_security_policy_nonce %>">
     // Avoid opening menu on load
     </script>
     <%= stylesheet_link_tag "admin/#{current_admin_theme}", media: 'all' %>

diff --git a/app/views/admin/layouts/preview.html.erb b/app/views/admin/layouts/preview.html.erb
@@ -18,6 +18,10 @@
       padding-top: 0;
     }
     </style>
+    <% if content_for?(:leaflet_required) %>
+      <%= stylesheet_link_tag 'leaflet', media: 'all' %>
+      <%= javascript_include_tag 'leaflet' %>
+    <% end %>
   </head>
   <body class="full-width">
     <header class="hero <%= 'hero--with-image hero--image-square' if yield(:image).present? %>">
@@ -40,4 +44,5 @@
     </main>
   </body>
   <script src="https://example.osuny.org/js/preview.js"></script>
+
 </html>
diff --git a/app/views/admin/research/journals/_sidebar.html.erb b/app/views/admin/research/journals/_sidebar.html.erb
@@ -29,7 +29,7 @@
       %>
         <li class="mb-3">
           <a class="d-block py-1 <%= active ? 'text-black' : 'text-muted' %>" href="<%= object[:path] %>">
-            <i class="<%= object[:icon] %>" style="min-width: 30px"></i>
+            <i class="sidebar-icon <%= object[:icon] %>"></i>
             <%= object[:title].html_safe %>
           </a>
         </li>

diff --git a/app/views/application/_bugsnag.html.erb b/app/views/application/_bugsnag.html.erb
@@ -1,6 +1,6 @@
 <% unless Rails.env.development? %>
   <script src="//d2wy8f7a9ursnm.cloudfront.net/v7/bugsnag.min.js"></script>
-  <script type="text/javascript">
+  <script type="text/javascript" nonce="<%= request.content_security_policy_nonce %>">
     Bugsnag.start({
       apiKey: "<%= j ENV['BUGSNAG_JAVASCRIPT_KEY'] %>",
       releaseStage: "<%= j ENV['APPLICATION_ENV'] %>"

diff --git a/app/views/extranet/layouts/application.html.erb b/app/views/extranet/layouts/application.html.erb
@@ -2,6 +2,10 @@
 <html>
   <head>
     <%= render 'extranet/application/head' %>
+    <% if content_for?(:leaflet_required) %>
+      <%= stylesheet_link_tag 'leaflet', media: 'all' %>
+      <%= javascript_include_tag 'leaflet' %>
+    <% end %>
   </head>
   <body class="extranet <%= body_classes %> full-width">
     <%= render 'application/notice' %>

diff --git a/app/views/server/layouts/application.html.erb b/app/views/server/layouts/application.html.erb
@@ -6,7 +6,7 @@
     <title><%= content_for?(:title) ? raw("#{yield(:title)} ∙ Osuny") : 'Osuny' %></title>
     <%= csrf_meta_tags %>
     <%= csp_meta_tag %>
-    <script>
+    <script nonce="<%= request.content_security_policy_nonce %>">
     // Avoid opening menu on load
     </script>
     <%= stylesheet_link_tag 'admin/pure', media: 'all' %>

diff --git a/app/views/server/universities/_sso_mapping.html.erb b/app/views/server/universities/_sso_mapping.html.erb
@@ -74,7 +74,7 @@ end
 
 </div>
 
-<script>
+<script nonce="<%= request.content_security_policy_nonce %>">
   var app = Vue.createApp({
     components: {
       draggable: VueDraggableNext.VueDraggableNext,

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -4,22 +4,53 @@
 # See the Securing Rails Applications Guide for more information:
 # https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src style-src)
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+Rails.application.configure do
+
+  style_urls = %w()
+  img_urls = %w()
+  script_urls = %w(
+    https://example.osuny.org/js/
+    https://plausible.io
+    https//d2wy8f7a9ursnm.cloudfront.net/v7/
+  )
+  script_urls << "https://cdn.jsdelivr.net/npm/summernote@#{SummernoteRails::Rails::VERSION.split('.').take(3).join('.')}/dist/lang/"
+
+  font_urls = %w()
+  media_urls = %w()
+  frame_urls = %w()
+  child_urls = %w()
+  connect_urls = %w()
+  form_action_urls = %w()
+
+  defaults = %i[self https]
+
+  config.content_security_policy do |policy|
+    policy.base_uri    :none
+    policy.default_src *defaults
+    policy.font_src    *defaults, :data, *font_urls
+    policy.img_src     *defaults, :data, *img_urls
+    policy.media_src   *defaults, *media_urls
+    policy.frame_src   *defaults, *frame_urls
+    policy.child_src   *defaults, *child_urls
+    policy.object_src  :none
+    # We specify :unsafe_inline for browsers which not support nonce.
+    # Unsafe eval is required for Vue scripts
+    policy.script_src  :self, :unsafe_eval, *script_urls
+    policy.style_src   :self, :unsafe_inline, *style_urls
+    # If you are using webpack-dev-server then specify webpack-dev-server host
+    # policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
+    policy.connect_src *defaults, *connect_urls
+    policy.form_action *defaults, *form_action_urls
+
+    # Specify URI for violation reports
+    # policy.report_uri "/csp-violation-report-endpoint"
+  end
+
+
+  # Generate session nonces for permitted importmap, inline scripts, and inline styles.
+  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+  config.content_security_policy_nonce_directives = %w(script-src)
+
+  # Report violations without enforcing the policy.
+  # config.content_security_policy_report_only = true
+end