closed-social
/
mastodon
3
0
Fork 2
Code Issues 5 Pull Requests 0 Projects 0 Releases 3 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10234 Commits
4 Branches
567 MiB
Tree: cbd0ee1d07
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cbd0ee1d07'
${ noResults }
mastodon/config/initializers/content_security_policy.rb

61 lines
2.4 KiB
Raw Normal View History

Upgrade Rails to version 5.2.0 (#5898)
6 years ago
Fix media host not being included in connect-src for OCR (#11577)
4 years ago
Fix CSP headers blocking media and development environment (#8962) Regression from #8957
5 years ago
Fix media host not being included in connect-src for OCR (#11577)
4 years ago
Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames
5 years ago
Fix CSP headers blocking media and development environment (#8962) Regression from #8957
5 years ago
Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679) * Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src
4 years ago
Fix CSP headers blocking media and development environment (#8962) Regression from #8957
5 years ago
Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames
5 years ago
Add manifest_src to CSP, add blob to connect_src (#8967)
5 years ago
Fix CSP headers blocking media and development environment (#8962) Regression from #8957
5 years ago
Fix media host not being included in connect-src for OCR (#11577)
4 years ago
Fix CSP needlessly allowing blob URLs in script-src (#11620)
4 years ago
Fix OCR not working on Safari because of unsupported worker-src CSP (#13323) Fixes #13321
4 years ago
Fix CSP needlessly allowing blob URLs in script-src (#11620)
4 years ago
Fix CSP headers blocking media and development environment (#8962) Regression from #8957
5 years ago
Fix media host not being included in connect-src for OCR (#11577)
4 years ago
Fix CSP needlessly allowing blob URLs in script-src (#11620)
4 years ago
Fix OCR not working on Safari because of unsupported worker-src CSP (#13323) Fixes #13321
4 years ago
Fix CSP needlessly allowing blob URLs in script-src (#11620)
4 years ago
Fix CSP headers blocking media and development environment (#8962) Regression from #8957
5 years ago
Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames
5 years ago
Upgrade Rails to version 5.2.0 (#5898)
6 years ago
Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595)
4 years ago
Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select
3 years ago
Update Mastodon to Rails 6.1 (#15910) * Update devise-two-factor to unreleased fork for Rails 6 support Update tests to match new `rotp` version. * Update nsa gem to unreleased fork for Rails 6 support * Update rails to 6.1.3 and rails-i18n to 6.0 * Update to unreleased fork of pluck_each for Ruby 6 support * Run "rails app:update" * Add missing ActiveStorage config file * Use config.ssl_options instead of removed ApplicationController#force_ssl Disabled force_ssl-related tests as they do not seem to be easily testable anymore. * Fix nonce directives by removing Rails 5 specific monkey-patching * Fix fixture_file_upload deprecation warning * Fix yield-based test failing with Rails 6 * Use Rails 6's index_with when possible * Use ActiveRecord::Cache::Store#delete_multi from Rails 6 This will yield better performances when deleting an account * Disable Rails 6.1's automatic preload link headers Since Rails 6.1, ActionView adds preload links for javascript files in the Links header per default. In our case, that will bloat headers too much and potentially cause issues with reverse proxies. Furhermore, we don't need those links, as we already output them as HTML link tags. * Switch to Rails 6.0 default config * Switch to Rails 6.1 default config * Do not include autoload paths in the load path
3 years ago
Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select
3 years ago
Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595)
4 years ago
Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select
3 years ago
 
  1. # Define an application-wide content security policy
  2. # For further information see the following documentation
  3. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
  4. 

  5. def host_to_url(str)
  6.   "http#{Rails.configuration.x.use_https ? 's' : ''}://#{str}" unless str.blank?
  7. end
  8. 

  9. base_host = Rails.configuration.x.web_domain
  10. 

  11. assets_host   = Rails.configuration.action_controller.asset_host
  12. assets_host ||= host_to_url(base_host)
  13. 

  14. media_host   = host_to_url(ENV['S3_ALIAS_HOST'])
  15. media_host ||= host_to_url(ENV['S3_CLOUDFRONT_HOST'])
  16. media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
  17. media_host ||= assets_host
  18. 

  19. Rails.application.config.content_security_policy do |p|
  20.   p.base_uri        :none
  21.   p.default_src     :none
  22.   p.frame_ancestors :none
  23.   p.font_src        :self, assets_host
  24.   p.img_src         :self, :https, :data, :blob, assets_host
  25.   p.style_src       :self, assets_host
  26.   p.media_src       :self, :https, :data, assets_host
  27.   p.frame_src       :self, :https
  28.   p.manifest_src    :self, assets_host
  29. 

  30.   if Rails.env.development?
  31.     webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{Webpacker.dev_server.host_with_port}" }
  32. 

  33.     p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls
  34.     p.script_src  :self, :unsafe_inline, :unsafe_eval, assets_host
  35.     p.child_src   :self, :blob, assets_host
  36.     p.worker_src  :self, :blob, assets_host
  37.   else
  38.     p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url
  39.     p.script_src  :self, assets_host
  40.     p.child_src   :self, :blob, assets_host
  41.     p.worker_src  :self, :blob, assets_host
  42.   end
  43. end
  44. 

  45. # Report CSP violations to a specified URI
  46. # For further information see the following documentation:
  47. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
  48. # Rails.application.config.content_security_policy_report_only = true
  49. 

  50. Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
  51. 

  52. Rails.application.config.content_security_policy_nonce_directives = %w(style-src)
  53. 

  54. PgHero::HomeController.content_security_policy do |p|
  55.   p.script_src :self, :unsafe_inline, assets_host
  56.   p.style_src  :self, :unsafe_inline, assets_host
  57. end
  58. 

  59. PgHero::HomeController.after_action do
  60.   request.content_security_policy_nonce_generator = nil
  61. end