Add support for Content-Security-Policy

author Tom Hughes <tom@compton.nu>

Sun, 26 Feb 2017 19:34:31 +0000 (19:34 +0000)

committer Tom Hughes <tom@compton.nu>

Sun, 26 Feb 2017 19:48:13 +0000 (19:48 +0000)
author Tom Hughes <tom@compton.nu>
Sun, 26 Feb 2017 19:34:31 +0000 (19:34 +0000)
committer Tom Hughes <tom@compton.nu>
Sun, 26 Feb 2017 19:48:13 +0000 (19:48 +0000)
diff --git a/.rubocop.yml b/.rubocop.yml

index 477b2ab02c152e3af3488a62eb8c0b79040d1db3..5bae96caa33e1f8d40c1c85284247d442eb87833 100644 (file)
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -62,3 +62,7 @@ Rails/SkipsModelValidations:
    Exclude:
      - 'db/migrate/*.rb'
      - 'app/controllers/user_controller.rb'
    Exclude:
      - 'db/migrate/*.rb'
      - 'app/controllers/user_controller.rb'
+
+Lint/PercentStringArray:
+  Exclude:
+    - 'config/initializers/secure_headers.rb'
diff --git a/Gemfile b/Gemfile

index 85f1a87e4bc369fb80197b1ba272309af1f11881..72fc32683f2e02ee50f7a73b404735a40f8c4ab1 100644 (file)
--- a/Gemfile
+++ b/Gemfile
@@ -92,6 +92,9 @@ gem "rotp"
  gem "dalli"
  gem "kgio"
  
  gem "dalli"
  gem "kgio"
  
+# Load secure_headers for Content-Security-Policy support
+gem "secure_headers"
+
  # Used to generate logstash friendly log files
  gem "logstasher"
  
  # Used to generate logstash friendly log files
  gem "logstasher"
  
diff --git a/Gemfile.lock b/Gemfile.lock

index c4891a358b33c5adae0f2fa203391d3a0f8fcdd7..b3768cb7499cd6079a6f85d0dcc1e798d49e2a9b 100644 (file)
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -96,7 +96,7 @@ GEM
      globalid (0.3.7)
        activesupport (>= 4.1.0)
      hashdiff (0.3.2)
      globalid (0.3.7)
        activesupport (>= 4.1.0)
      hashdiff (0.3.2)
-    hashie (3.5.4)
+    hashie (3.5.5)
      htmlentities (4.3.4)
      http_accept_language (2.0.5)
      i18n (0.8.1)
      htmlentities (4.3.4)
      http_accept_language (2.0.5)
      i18n (0.8.1)
@@ -218,7 +218,7 @@ GEM
        websocket-driver (>= 0.2.0)
      powerpack (0.1.1)
      progress (3.3.1)
        websocket-driver (>= 0.2.0)
      powerpack (0.1.1)
      progress (3.3.1)
-    psych (2.2.3)
+    psych (2.2.4)
      public_suffix (2.0.5)
      r2 (0.2.6)
      rack (1.6.5)
      public_suffix (2.0.5)
      r2 (0.2.6)
      rack (1.6.5)
@@ -283,6 +283,8 @@ GEM
        sprockets (>= 2.8, < 4.0)
        sprockets-rails (>= 2.0, < 4.0)
        tilt (>= 1.1, < 3)
        sprockets (>= 2.8, < 4.0)
        sprockets-rails (>= 2.0, < 4.0)
        tilt (>= 1.1, < 3)
+    secure_headers (3.6.1)
+      useragent
      simplecov (0.12.0)
        docile (~> 1.1.0)
        json (>= 1.8, < 3)
      simplecov (0.12.0)
        docile (~> 1.1.0)
        json (>= 1.8, < 3)
@@ -310,6 +312,7 @@ GEM
      uglifier (3.0.4)
        execjs (>= 0.3.0, < 3)
      unicode-display_width (1.1.3)
      uglifier (3.0.4)
        execjs (>= 0.3.0, < 3)
      unicode-display_width (1.1.3)
+    useragent (0.16.8)
      validates_email_format_of (1.6.3)
        i18n
      vendorer (0.1.16)
      validates_email_format_of (1.6.3)
        i18n
      vendorer (0.1.16)
@@ -376,6 +379,7 @@ DEPENDENCIES
    rubocop
    sanitize
    sass-rails (~> 5.0)
    rubocop
    sanitize
    sass-rails (~> 5.0)
+  secure_headers
    timecop
    uglifier (>= 1.3.0)
    validates_email_format_of (>= 1.5.1)
    timecop
    uglifier (>= 1.3.0)
    validates_email_format_of (>= 1.5.1)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 8eb5f240906579f6fdb21fff01a293fc8c0483ea..10901fdd5f4236cc015ff31b6ab33645b9f8099e 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -407,6 +407,11 @@ class ApplicationController < ActionController::Base
    end
  
    def map_layout
    end
  
    def map_layout
+    append_content_security_policy_directives(
+      :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
+      :script_src => %w(graphhopper.com open.mapquestapi.com)
+    )
+
      request.xhr? ? "xhr" : "map"
    end
  
      request.xhr? ? "xhr" : "map"
    end
  
diff --git a/app/controllers/site_controller.rb b/app/controllers/site_controller.rb

index aa284ecdc100ba37135d7a8e5b9f38db35650218..353feecefe32ae21062597d2ee7d9cfb2c137b0c 100644 (file)
--- a/app/controllers/site_controller.rb
+++ b/app/controllers/site_controller.rb
@@ -69,6 +69,13 @@ class SiteController < ApplicationController
        require_user
      end
  
        require_user
      end
  
+    if editor == "potlatch" || editor == "potlatch2"
+      append_content_security_policy_directives(
+        :object_src => %w(*),
+        :plugin_types => %w(application/x-shockwave-flash)
+      )
+    end
+
      if params[:node]
        bbox = Node.find(params[:node]).bbox.to_unscaled
        @lat = bbox.centre_lat
      if params[:node]
        bbox = Node.find(params[:node]).bbox.to_unscaled
        @lat = bbox.centre_lat
@@ -111,6 +118,12 @@ class SiteController < ApplicationController
    end
  
    def id
    end
  
    def id
+    append_content_security_policy_directives(
+      :connect_src => %w(taginfo.openstreetmap.org *.mapillary.com),
+      :img_src => %w(*),
+      :script_src => %w(dev.virtualearth.net)
+    )
+
      render "id", :layout => false
    end
  
      render "id", :layout => false
    end
  
diff --git a/config/example.application.yml b/config/example.application.yml

index f322dbccf4b12b47d29765806fb53cc7c621b2ac..ec6048521e00f119b49e0f3d6c2a3bc71b381104 100644 (file)
--- a/config/example.application.yml
+++ b/config/example.application.yml
@@ -119,6 +119,8 @@ defaults: &defaults
    #thunderforest_key: ""
    # Key for generating TOTP tokens
    #totp_key: ""
    #thunderforest_key: ""
    # Key for generating TOTP tokens
    #totp_key: ""
+  # URL for reporting Content-Security-Policy violations
+  #csp_report_url: ""
  
  development:
    <<: *defaults
  
  development:
    <<: *defaults
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb

new file mode 100644 (file)

index 0000000..13db365
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,24 @@
+policy = if defined?(CSP_REPORT_URL)
+           {
+             :default_src => %w('self'),
+             :child_src => %w('self'),
+             :connect_src => %w('self'),
+             :font_src => %w('none'),
+             :form_action => %w('self'),
+             :frame_ancestors => %w('self'),
+             :img_src => %w('self' data: www.gravatar.com *.wp.com *.tile.openstreetmap.org *.tile.thunderforest.com *.openstreetmap.fr),
+             :media_src => %w('none'),
+             :object_src => %w('self'),
+             :plugin_types => %w('none'),
+             :script_src => %w('self' 'unsafe-inline'),
+             :style_src => %w('self' 'unsafe-inline'),
+             :report_uri => [CSP_REPORT_URL]
+           }
+         else
+           SecureHeaders::OPT_OUT
+         end
+
+SecureHeaders::Configuration.default do |config|
+  config.csp = SecureHeaders::OPT_OUT
+  config.csp_report_only = policy
+end
author	Tom Hughes <tom@compton.nu>
	Sun, 26 Feb 2017 19:34:31 +0000 (19:34 +0000)
committer	Tom Hughes <tom@compton.nu>
	Sun, 26 Feb 2017 19:48:13 +0000 (19:48 +0000)
.rubocop.yml		patch \| blob \| history
Gemfile		patch \| blob \| history
Gemfile.lock		patch \| blob \| history
app/controllers/application_controller.rb		patch \| blob \| history
app/controllers/site_controller.rb		patch \| blob \| history
config/example.application.yml		patch \| blob \| history
config/initializers/secure_headers.rb	[new file with mode: 0644]	patch \| blob