discourse/lib/content_security_policy.rb
David Taylor d1a2596889
DEV: Allow CSP nonce_placeholder to be generated outside Rails (#26052)
Sometimes we add scripts outside of Rails. This commit provides a way to generate a nonce placeholder even if you don't have access to an ApplicationController instance.
2024-03-06 13:01:32 +00:00

31 lines
942 B
Ruby

# frozen_string_literal: true
require "content_security_policy/builder"
require "content_security_policy/extension"
class ContentSecurityPolicy
class << self
def policy(theme_id = nil, base_url: Discourse.base_url, path_info: "/")
new.build(theme_id, base_url: base_url, path_info: path_info)
end
def nonce_placeholder(response_headers)
response_headers[
::Middleware::CspScriptNonceInjector::PLACEHOLDER_HEADER
] ||= "[[csp_nonce_placeholder_#{SecureRandom.hex}]]"
end
end
def build(theme_id, base_url:, path_info: "/")
builder = Builder.new(base_url: base_url)
Extension.theme_extensions(theme_id).each { |extension| builder << extension }
Extension.plugin_extensions.each { |extension| builder << extension }
builder << Extension.site_setting_extension
builder << Extension.path_specific_extension(path_info)
builder.build
end
end
CSP = ContentSecurityPolicy