From a870c99bd540defcb7e68b4425f7767553583b57 Mon Sep 17 00:00:00 2001 From: "Ben Sheldon [he/him]" Date: Sun, 25 Jul 2021 18:15:05 -0700 Subject: [PATCH] Ensure Dashboard inline javascript has CSP nonce for strict Content-Security Policy (#309) --- engine/app/views/shared/_chart.erb | 4 ++-- .../initializers/content_security_policy.rb | 15 +++++++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/engine/app/views/shared/_chart.erb b/engine/app/views/shared/_chart.erb index a5424a7e8..e54e99422 100644 --- a/engine/app/views/shared/_chart.erb +++ b/engine/app/views/shared/_chart.erb @@ -1,6 +1,6 @@
- +<% end %> diff --git a/spec/test_app/config/initializers/content_security_policy.rb b/spec/test_app/config/initializers/content_security_policy.rb index 41c43016f..cf3f46374 100644 --- a/spec/test_app/config/initializers/content_security_policy.rb +++ b/spec/test_app/config/initializers/content_security_policy.rb @@ -26,3 +26,18 @@ # For further information see the following documentation: # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only # Rails.application.config.content_security_policy_report_only = true + +Rails.application.config.content_security_policy do |policy| + policy.default_src :none + policy.connect_src :self + policy.base_uri :none + policy.font_src :self, :https, :data + policy.img_src :self, :https, :data + policy.object_src :none + policy.script_src :self + policy.style_src :self + policy.form_action :self + policy.frame_ancestors :self +end + +Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }