mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 00:55:06 +08:00
03deda2147
* Add missing icons to set
* Revert FA5 revert
This reverts commit 42572ff
* use new SVG syntax in locales
* Noscript page changes (remove login button, center "powered by" footer text)
* Cast wider net for SVG icons in settings
- include any _icon setting for SVG registry (offers better support for plugin settings)
- let themes store multiple pipe-delimited icons in a setting
- also replaces broken onebox image icon with SVG reference in cooked post processor
* interpolate icons in locales
* Fix composer whisper icon alignment
* Add support for stacked icons
* SECURITY: enforce hostname to match discourse hostname
This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname
* load SVG sprite with pre-initializers
* FIX: enable caching on SVG sprites
* PERF: use JSONP for SVG sprites so they are served from CDN
This avoids needing to deal with CORS for loading of the SVG
Note, added the svg- prefix to the filename so we can quickly tell in
dev tools what the file is
* Add missing SVG sprite JSONP script to CSP
* Upgrade to FA 5.5.0
* Add support for all FA4.7 icons
- adds complete frontend and backend for renamed FA4.7 icons
- improves performance of SvgSprite.bundle and SvgSprite.all_icons
* Fix group avatar flair preview
- adds an endpoint at /svg-sprites/search/:keyword
- adds frontend ajax call that pulls icon in avatar flair preview even when it is not in subset
* Remove FA 4.7 font files
108 lines
2.8 KiB
Ruby
108 lines
2.8 KiB
Ruby
# frozen_string_literal: true
|
|
require_dependency 'global_path'
|
|
|
|
class ContentSecurityPolicy
|
|
include GlobalPath
|
|
|
|
class Middleware
|
|
def initialize(app)
|
|
@app = app
|
|
end
|
|
|
|
def call(env)
|
|
request = Rack::Request.new(env)
|
|
_, headers, _ = response = @app.call(env)
|
|
|
|
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
|
|
|
|
policy = ContentSecurityPolicy.new(request).build
|
|
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
|
|
headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only
|
|
|
|
response
|
|
end
|
|
|
|
private
|
|
|
|
def html_response?(headers)
|
|
headers['Content-Type'] && headers['Content-Type'] =~ /html/
|
|
end
|
|
end
|
|
|
|
def self.enabled?
|
|
SiteSetting.content_security_policy || SiteSetting.content_security_policy_report_only
|
|
end
|
|
|
|
def initialize(request = nil)
|
|
@request = request
|
|
@directives = {
|
|
script_src: script_src,
|
|
worker_src: [:self, :blob],
|
|
}
|
|
|
|
@directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
|
|
end
|
|
|
|
def build
|
|
policy = ActionDispatch::ContentSecurityPolicy.new
|
|
|
|
@directives.each do |directive, sources|
|
|
if sources.is_a?(Array)
|
|
policy.public_send(directive, *sources)
|
|
else
|
|
policy.public_send(directive, sources)
|
|
end
|
|
end
|
|
|
|
policy.build
|
|
end
|
|
|
|
private
|
|
|
|
attr_reader :request
|
|
|
|
SCRIPT_ASSET_DIRECTORIES = [
|
|
# [dir, can_use_s3_cdn, can_use_cdn]
|
|
['/assets/', true, true],
|
|
['/brotli_asset/', true, true],
|
|
['/extra-locales/', false, false],
|
|
['/highlight-js/', false, true],
|
|
['/javascripts/', false, true],
|
|
['/plugins/', false, true],
|
|
['/theme-javascripts/', false, true],
|
|
['/svg-sprite/', false, true],
|
|
]
|
|
|
|
def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url)
|
|
SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn|
|
|
if can_use_s3_cdn && s3_cdn
|
|
s3_cdn + dir
|
|
elsif can_use_cdn && cdn
|
|
cdn + dir
|
|
else
|
|
base + dir
|
|
end
|
|
end
|
|
end
|
|
|
|
def script_src
|
|
sources = [
|
|
:unsafe_eval,
|
|
"#{base_url}/logs/",
|
|
"#{base_url}/sidekiq/",
|
|
"#{base_url}/mini-profiler-resources/",
|
|
]
|
|
|
|
sources.concat(script_assets)
|
|
|
|
sources << 'https://www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
|
|
sources << 'https://www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
|
|
|
|
sources.concat(SiteSetting.content_security_policy_script_src.split('|'))
|
|
end
|
|
|
|
def base_url
|
|
@base_url ||= Rails.env.development? ? request.host_with_port : Discourse.base_url
|
|
end
|
|
end
|