github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-12-15 16:33:45 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
87f89e92a8
discourse/lib/content_security_policy/middleware.rb

33 lines
829 B
Ruby
Raw Normal View History

FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now
2018-11-30 22:51:45 +08:00
# frozen_string_literal: true
require_dependency 'content_security_policy'
class ContentSecurityPolicy
class Middleware
def initialize(app)
@app = app
end
def call(env)
request = Rack::Request.new(env)
_, headers, _ = response = @app.call(env)
return response unless html_response?(headers)
ContentSecurityPolicy.base_url = request.host_with_port if Rails.env.development?
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only
response
end
private
delegate :policy, to: :ContentSecurityPolicy
def html_response?(headers)
headers['Content-Type'] && headers['Content-Type'] =~ /html/
end
end
end
Reference in New Issue Copy Permalink