From ee0f6bea4d41a6684e27e4b706713a77f29a2c23 Mon Sep 17 00:00:00 2001 From: rasikasri <44141067+rasikasri@users.noreply.github.com> Date: Tue, 12 Dec 2023 10:31:27 +0000 Subject: [PATCH] HOTT-4467: Add CSP policy to Duty Calculator app (#730) Co-authored-by: Rasika.Abeyrathna --- .../layouts/_google_tag_manager.html.erb | 6 ++- app/views/layouts/application.html.erb | 4 +- .../initializers/content_security_policy.rb | 40 +++++++++---------- config/routes.rb | 2 +- 4 files changed, 27 insertions(+), 25 deletions(-) diff --git a/app/views/layouts/_google_tag_manager.html.erb b/app/views/layouts/_google_tag_manager.html.erb index 9aa49595..6213fc98 100644 --- a/app/views/layouts/_google_tag_manager.html.erb +++ b/app/views/layouts/_google_tag_manager.html.erb @@ -1,9 +1,11 @@ <% if usage_enabled? -%> - + })(window,document,'script','dataLayer','GTM-MNNT6SX'); + <% end -%> <%- end %> diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index d97eddee..fedc70a0 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -21,9 +21,9 @@ <%= render partial: 'layouts/google_tag_manager_no_script' %> - + <% end -%> Skip to main content diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index 3621f97f..aadfad0d 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -4,23 +4,23 @@ # For further information see the following documentation # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy -# Rails.application.configure do -# config.content_security_policy do |policy| -# policy.default_src :self, :https -# policy.font_src :self, :https, :data -# policy.img_src :self, :https, :data -# policy.object_src :none -# policy.script_src :self, :https -# policy.style_src :self, :https -# # Specify URI for violation reports -# # policy.report_uri "/csp-violation-report-endpoint" -# end -# -# # Generate session nonces for permitted importmap and inline scripts -# config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } -# config.content_security_policy_nonce_directives = %w(script-src) -# -# # Report CSP violations to a specified URI. See: -# # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only -# # config.content_security_policy_report_only = true -# end +Rails.application.configure do + config.content_security_policy do |policy| + policy.default_src :self + policy.font_src :self, :data + policy.img_src :self, :data + policy.object_src :none + policy.script_src :self + # policy.style_src :self + # Specify URI for violation reports + policy.report_uri ENV['SENTRY_CSP_ENDPOINT'] if ENV['SENTRY_CSP_ENDPOINT'].present? + end + + # Generate session nonces for permitted importmap and inline scripts + config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s } + # config.content_security_policy_nonce_directives = %w(script-src) + + # Report CSP violations to a specified URI. See: + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only + # config.content_security_policy_report_only = true +end diff --git a/config/routes.rb b/config/routes.rb index d5b814f2..0fdb1a56 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -1,5 +1,5 @@ Rails.application.routes.draw do - root to: proc { [404, {}, ['Not found.']] } + root to: proc { [404, {'Content-Type' => 'text/html'}, ['Not found.']] } get 'healthcheckz', to: 'healthcheck#checkz'