]> git.openstreetmap.org Git - rails.git/commitdiff
Improve the content security policy
authorTom Hughes <tom@compton.nu>
Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
committerTom Hughes <tom@compton.nu>
Wed, 1 Mar 2017 22:38:24 +0000 (22:38 +0000)
.rubocop.yml
app/controllers/application_controller.rb
app/controllers/site_controller.rb
config/initializers/secure_headers.rb

index 5bae96caa33e1f8d40c1c85284247d442eb87833..a31adf03bed73486bfb2c7f532ab61aad0cad8e3 100644 (file)
@@ -66,3 +66,4 @@ Rails/SkipsModelValidations:
 Lint/PercentStringArray:
   Exclude:
     - 'config/initializers/secure_headers.rb'
 Lint/PercentStringArray:
   Exclude:
     - 'config/initializers/secure_headers.rb'
+    - 'app/controllers/site_controller.rb'
index 26bb92f9af78b8685f8fa9356428a5b5a269595b..ff3f67efd975d46d76312a35f97fcf44c7899df9 100644 (file)
@@ -410,7 +410,8 @@ class ApplicationController < ActionController::Base
   def map_layout
     append_content_security_policy_directives(
       :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
   def map_layout
     append_content_security_policy_directives(
       :connect_src => %w(nominatim.openstreetmap.org overpass-api.de router.project-osrm.org valhalla.mapzen.com),
-      :script_src => %w(graphhopper.com open.mapquestapi.com)
+      :script_src => %w(graphhopper.com open.mapquestapi.com),
+      :img_src => %w(developer.mapquest.com)
     )
 
     request.xhr? ? "xhr" : "map"
     )
 
     request.xhr? ? "xhr" : "map"
index 353feecefe32ae21062597d2ee7d9cfb2c137b0c..b0552322ed6d808efbf7a82bae2e001eb9b104fc 100644 (file)
@@ -72,7 +72,8 @@ class SiteController < ApplicationController
     if editor == "potlatch" || editor == "potlatch2"
       append_content_security_policy_directives(
         :object_src => %w(*),
     if editor == "potlatch" || editor == "potlatch2"
       append_content_security_policy_directives(
         :object_src => %w(*),
-        :plugin_types => %w(application/x-shockwave-flash)
+        :plugin_types => %w(application/x-shockwave-flash),
+        :script_src => %w('unsafe-inline')
       )
     end
 
       )
     end
 
index 13db365099a9eeacd1fa0dc1aa4376196728a5e0..cd428d7dd2a9084de15f367c45d7ac512540e175 100644 (file)
@@ -10,7 +10,7 @@ policy = if defined?(CSP_REPORT_URL)
              :media_src => %w('none'),
              :object_src => %w('self'),
              :plugin_types => %w('none'),
              :media_src => %w('none'),
              :object_src => %w('self'),
              :plugin_types => %w('none'),
-             :script_src => %w('self' 'unsafe-inline'),
+             :script_src => %w('self'),
              :style_src => %w('self' 'unsafe-inline'),
              :report_uri => [CSP_REPORT_URL]
            }
              :style_src => %w('self' 'unsafe-inline'),
              :report_uri => [CSP_REPORT_URL]
            }
@@ -18,6 +18,8 @@ policy = if defined?(CSP_REPORT_URL)
            SecureHeaders::OPT_OUT
          end
 
            SecureHeaders::OPT_OUT
          end
 
+policy[:script_src] << PIWIK["location"] if defined?(PIWIK)
+
 SecureHeaders::Configuration.default do |config|
   config.csp = SecureHeaders::OPT_OUT
   config.csp_report_only = policy
 SecureHeaders::Configuration.default do |config|
   config.csp = SecureHeaders::OPT_OUT
   config.csp_report_only = policy