discourse/lib/content_security_policy.rb
Kyle Zhao 3493ea85cc remove Logster from CSP whitelist (#6593)
Logster 1.3 no longer has inline JS and is now CSP compliant
2018-11-13 09:55:57 +11:00

71 lines
1.8 KiB
Ruby

# frozen_string_literal: true
require_dependency 'global_path'
class ContentSecurityPolicy
include GlobalPath
class Middleware
def initialize(app)
@app = app
end
def call(env)
request = Rack::Request.new(env)
_, headers, _ = response = @app.call(env)
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
policy = ContentSecurityPolicy.new.build
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only
response
end
private
def html_response?(headers)
headers['Content-Type'] && headers['Content-Type'] =~ /html/
end
end
def self.enabled?
SiteSetting.content_security_policy || SiteSetting.content_security_policy_report_only
end
def initialize
@directives = {
script_src: script_src,
}
@directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
end
def build
policy = ActionDispatch::ContentSecurityPolicy.new
@directives.each do |directive, sources|
if sources.is_a?(Array)
policy.public_send(directive, *sources)
else
policy.public_send(directive, sources)
end
end
policy.build
end
private
def script_src
sources = [:self, :unsafe_eval]
sources << :https if SiteSetting.force_https
sources << Discourse.asset_host if Discourse.asset_host.present?
sources << 'www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
sources << 'www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
sources.concat(SiteSetting.content_security_policy_script_src.split('|'))
end
end