mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 03:40:00 +08:00
84 lines
2.1 KiB
Ruby
84 lines
2.1 KiB
Ruby
|
# frozen_string_literal: true
|
||
|
require_dependency 'global_path'
|
||
|
|
||
|
class ContentSecurityPolicy
|
||
|
include GlobalPath
|
||
|
|
||
|
class Middleware
|
||
|
WHITELISTED_PATHS = %w(
|
||
|
/logs
|
||
|
)
|
||
|
|
||
|
def initialize(app)
|
||
|
@app = app
|
||
|
end
|
||
|
|
||
|
def call(env)
|
||
|
request = Rack::Request.new(env)
|
||
|
_, headers, _ = response = @app.call(env)
|
||
|
|
||
|
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
|
||
|
return response if whitelisted?(request.path)
|
||
|
|
||
|
policy = ContentSecurityPolicy.new.build
|
||
|
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
|
||
|
headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only
|
||
|
|
||
|
response
|
||
|
end
|
||
|
|
||
|
private
|
||
|
|
||
|
def html_response?(headers)
|
||
|
headers['Content-Type'] && headers['Content-Type'] =~ /html/
|
||
|
end
|
||
|
|
||
|
def whitelisted?(path)
|
||
|
if GlobalSetting.relative_url_root
|
||
|
path.slice!(/^#{Regexp.quote(GlobalSetting.relative_url_root)}/)
|
||
|
end
|
||
|
|
||
|
WHITELISTED_PATHS.any? { |whitelisted| path.start_with?(whitelisted) }
|
||
|
end
|
||
|
end
|
||
|
|
||
|
def self.enabled?
|
||
|
SiteSetting.content_security_policy || SiteSetting.content_security_policy_report_only
|
||
|
end
|
||
|
|
||
|
def initialize
|
||
|
@directives = {
|
||
|
script_src: script_src,
|
||
|
}
|
||
|
|
||
|
@directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
|
||
|
end
|
||
|
|
||
|
def build
|
||
|
policy = ActionDispatch::ContentSecurityPolicy.new
|
||
|
|
||
|
@directives.each do |directive, sources|
|
||
|
if sources.is_a?(Array)
|
||
|
policy.public_send(directive, *sources)
|
||
|
else
|
||
|
policy.public_send(directive, sources)
|
||
|
end
|
||
|
end
|
||
|
|
||
|
policy.build
|
||
|
end
|
||
|
|
||
|
private
|
||
|
|
||
|
def script_src
|
||
|
sources = [:self, :unsafe_eval]
|
||
|
|
||
|
sources << :https if SiteSetting.force_https
|
||
|
sources << Discourse.asset_host if Discourse.asset_host.present?
|
||
|
sources << 'www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
|
||
|
sources << 'www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
|
||
|
|
||
|
sources.concat(SiteSetting.content_security_policy_script_src.split('|'))
|
||
|
end
|
||
|
end
|