X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/feff501b25ef5116fb9bc847dfb679919b44dce3..19d91c0216f73cd2bf382ea9e8cc54e4fc47a66a:/app/controllers/application_controller.rb?ds=inline diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index d80b286d6..cc006c19c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -13,13 +13,30 @@ class ApplicationController < ActionController::Base rescue_from RailsParam::InvalidParameterError, :with => :invalid_parameter before_action :fetch_body - around_action :better_errors_allow_inline, :if => proc { Rails.env.development? } attr_accessor :current_user, :oauth_token helper_method :current_user helper_method :oauth_token + def self.allow_thirdparty_images(**options) + content_security_policy(options) do |policy| + policy.img_src("*") + end + end + + def self.allow_social_login(**options) + content_security_policy(options) do |policy| + policy.form_action(*policy.form_action, "accounts.google.com", "*.facebook.com", "login.microsoftonline.com", "github.com", "meta.wikimedia.org") + end + end + + def self.allow_all_form_action(**options) + content_security_policy(options) do |policy| + policy.form_action(nil) + end + end + private def authorize_web @@ -160,7 +177,7 @@ class ApplicationController < ActionController::Base # TODO: some sort of escaping of problem characters in the message response.headers["Error"] = message - if request.headers["X-Error-Format"]&.casecmp("xml")&.zero? + if request.headers["X-Error-Format"]&.casecmp?("xml") result = OSM::API.new.xml_doc result.root.name = "osmError" result.root << (XML::Node.new("status") << "#{Rack::Utils.status_code(status)} #{Rack::Utils::HTTP_STATUS_CODES[status]}") @@ -229,13 +246,15 @@ class ApplicationController < ActionController::Base end def map_layout - append_content_security_policy_directives( - :child_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], - :frame_src => %w[http://127.0.0.1:8111 https://127.0.0.1:8112], - :connect_src => [Settings.nominatim_url, Settings.overpass_url, Settings.fossgis_osrm_url, Settings.graphhopper_url, Settings.fossgis_valhalla_url], - :form_action => %w[render.openstreetmap.org], - :style_src => %w['unsafe-inline'] - ) + policy = request.content_security_policy.clone + + policy.child_src(*policy.child_src, "http://127.0.0.1:8111", "https://127.0.0.1:8112") + policy.frame_src(*policy.frame_src, "http://127.0.0.1:8111", "https://127.0.0.1:8112") + policy.connect_src(*policy.connect_src, Settings.nominatim_url, Settings.overpass_url, Settings.fossgis_osrm_url, Settings.graphhopper_url, Settings.fossgis_valhalla_url) + policy.form_action(*policy.form_action, "render.openstreetmap.org") + policy.style_src(*policy.style_src, :unsafe_inline) + + request.content_security_policy = policy case Settings.status when "database_offline", "api_offline" @@ -247,10 +266,6 @@ class ApplicationController < ActionController::Base request.xhr? ? "xhr" : "map" end - def allow_thirdparty_images - append_content_security_policy_directives(:img_src => %w[*]) - end - def preferred_editor if params[:editor] params[:editor] @@ -273,23 +288,12 @@ class ApplicationController < ActionController::Base end end - def better_errors_allow_inline - yield - rescue StandardError - append_content_security_policy_directives( - :script_src => %w['unsafe-inline'], - :style_src => %w['unsafe-inline'] - ) - - raise - end - def current_ability Ability.new(current_user) end def deny_access(_exception) - if doorkeeper_token || current_token + if doorkeeper_token set_locale report_error t("oauth.permissions.missing"), :forbidden elsif current_user @@ -333,9 +337,6 @@ class ApplicationController < ActionController::Base [user, pass] end - # override to stop oauth plugin sending errors - def invalid_oauth_response; end - # clean any referer parameter def safe_referer(referer) begin @@ -358,7 +359,7 @@ class ApplicationController < ActionController::Base end def scope_enabled?(scope) - doorkeeper_token&.includes_scope?(scope) || current_token&.includes_scope?(scope) + doorkeeper_token&.includes_scope?(scope) end helper_method :scope_enabled?