Skip to content

Commit

Permalink
Report Content-Security-Policy problems to honeybadger
Browse files Browse the repository at this point in the history 
Co-authored-by: Christina Chortaria <christinach@users.noreply.github.com>
  • Loading branch information
@sandbergja @christinach
sandbergja and christinach committed Jan 4, 2024
1 parent b055c70 commit 307085f
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 2 deletions.
6 changes: 4 additions & 2 deletions app/views/layouts/application.html.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,16 @@
<% else %>
<%= javascript_include_tag 'requests/application' %>
<% end %>
<script>window.Global = {"graphql":<%= Global.graphql.to_json.html_safe %>,"figgy":<%= Global.figgy.to_json.html_safe %>}</script>
<%= javascript_tag nonce: true do -%>
window.Global = {"graphql":<%= Global.graphql.to_json.html_safe %>,"figgy":<%= Global.figgy.to_json.html_safe %>}
<% end %>
<% unless controller.controller_name == "request" %>
<%= vite_javascript_tag 'application' %>
<% end %>
<% unless controller.controller_name == "catalog" && controller.action_name == "show" && @document.alma_record? %>
<%= javascript_include_tag "https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.2/MathJax.js?config=TeX-MML-AM_CHTML", async: true %>
<% end %>
<%= javascript_include_tag "https://www.google.com/books/jsapi.js" %>
<%= javascript_include_tag "https://www.google.com/books/jsapi.js", nonce: true %>
<%= csrf_meta_tags %>
<%= content_for(:head) %>
<link rel="unapi-server" type="application/xml" title="unAPI" href="/unapi"/>
Expand Down
17 changes: 17 additions & 0 deletions config/initializers/content_security_policy.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# frozen_string_literal: true

Rails.application.config.content_security_policy_report_only = true
# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

Rails.application.config.content_security_policy do |policy|
policy.default_src :self, :https
policy.font_src :self, :https, :data
policy.img_src :self, :https, :data
policy.object_src :none
policy.script_src :self, :https

# TODO: Upgrade MathJax to the latest version, using yarn/npm rather than the CDN
policy.style_src :self, "'unsafe-inline'"
# policy.style_src :self, :https
# policy.report_uri -> { "https://api.honeybadger.io/v1/browser/csp?api_key=#{ENV['HONEYBADGER_API_KEY']}&report_only=true&env=#{Rails.env}&context[user_id]=#{respond_to?(:current_user) ? current_user&.id : nil}" }
end

0 comments on commit 307085f

Please sign in to comment.