Add CSP (#119)

obl-ong · Feb 23, 2024 · 97f6a95 · 97f6a95
1 parent 26505e0
commit 97f6a95
Show file tree

Hide file tree

Showing 22 changed files with 79 additions and 63 deletions.
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
@@ -1,2 +1,17 @@
 module ApplicationHelper
+  def style_tag(content_or_options_with_block = nil, html_options = {}, &block)
+    content =
+      if block
+        html_options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
+        capture(&block)
+      else
+        content_or_options_with_block
+      end
+
+    if html_options[:nonce] == true
+      html_options[:nonce] = content_security_policy_nonce
+    end
+
+    content_tag("style", content.html_safe, html_options)
+  end
 end
diff --git a/app/views/admin/developers_review.html.erb b/app/views/admin/developers_review.html.erb
@@ -34,7 +34,7 @@
 <%= javascript_include_tag "tinder", "data-turbo-track": "reload" %>
 <% end %>
 
-<style>
+<%= style_tag nonce: true do %>
 @import url("https://code.ionicframework.com/contrib/ionic-contrib-tinder-cards/ionic.tdcards.css");
 @import url("https://cdn.jsdelivr.net/npm/toastify-js/src/toastify.min.css");
 
@@ -135,4 +135,4 @@ form {
   position: relative;
   height: 100%;
 }
-</style>
+<% end %>
diff --git a/app/views/admin/index.html.erb b/app/views/admin/index.html.erb
@@ -11,12 +11,12 @@
     </ul>
 </main>
 
-<style>
+<%= style_tag nonce: true do %>
     li {
         margin-top: 0.25rem;
     }
 
     a {
         color: var(--winter-sky);
     }
-</style>
+<% end %>
diff --git a/app/views/admin/review.html.erb b/app/views/admin/review.html.erb
@@ -32,7 +32,7 @@
 <%= javascript_include_tag "tinder", "data-turbo-track": "reload" %>
 <% end %>
 
-<style>
+<%= style_tag nonce: true do %>
 @import url("https://code.ionicframework.com/contrib/ionic-contrib-tinder-cards/ionic.tdcards.css");
 @import url("https://cdn.jsdelivr.net/npm/toastify-js/src/toastify.min.css");
 
@@ -133,4 +133,4 @@ form {
   position: relative;
   height: 100%;
 }
-</style>
+<% end %>
diff --git a/app/views/auth/create_key.html.erb b/app/views/auth/create_key.html.erb
@@ -18,7 +18,7 @@
     </div>
 </section>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		display: flex;
@@ -72,4 +72,4 @@
 		align-items: center;
 		text-align: center;
 	}
-</style>
+<% end %>
diff --git a/app/views/auth/email.html.erb b/app/views/auth/email.html.erb
@@ -18,7 +18,7 @@
     </div>
 </section>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		display: flex;
@@ -80,4 +80,4 @@
 	label {
 		text-align: left;
 	}
-</style>
+<% end %>
diff --git a/app/views/auth/login.html.erb b/app/views/auth/login.html.erb
@@ -7,7 +7,7 @@
 	<p>Don't have an account? <a href="/users/register">Register</a></p>
 	<div>
 	<button style="display: flex; transform: scale(1.1);" data-action="click->webauthn#askAndLogin"> 
-		<svg version="1.2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 489 475" width="16" height="16"><style>.a{fill:var(--cultured)}.b{fill:var(--winter-sky)}</style><path class="a" d="m326 348c0 37.2-0.1 73.8 0.1 110.5 0 3.6-0.8 4.6-4.6 4.6q-157.9-0.2-315.9 0c-3.4 0-4.8-0.4-4.7-4.5 0.7-20.8-1.3-41.7 1-62.4 5-43 25.1-77.7 59.7-103.7 26.6-20 56.8-29.7 90.3-29.5 25.9 0.1 51.9-0.1 77.9 0 19.1 0.1 37.2 4.5 54.8 11.8 2 0.9 3.1 2.1 4 4 8.3 17.2 19.7 32 34.6 43.9 2 1.6 2.9 3.2 2.9 5.8-0.2 6.3-0.1 12.7-0.1 19.5z"></path><path class="a" d="m300.9 104.4c1.7 48.7-17.9 85.7-60.6 108.4-67.8 36-150.6-6-163.1-81.8-10.3-62.5 34.5-122.4 97.2-129.9 60.6-7.2 115.4 33.8 125.4 93.9 0.5 2.9 0.7 5.9 1.1 9.4z"></path><path class="a" d="m348.4 155.3c34.5-24.2 77.3-23.1 108.5 2.7 48.9 40.4 39.7 118-17.3 146-2.1 1-4.1 2-7.1 3.4 9.4 9.2 18.4 18.3 27.6 27 3.1 2.8 3 4.4 0 7.2-10.5 10.2-20.7 20.8-31.2 31-2.2 2.2-2.5 3.3-0.1 5.7 10.7 10.4 21.2 21.2 31.9 31.7 2.6 2.5 2.3 3.8-0.1 6.1-18.8 18.7-37.6 37.4-56.2 56.3-2.8 2.8-4.3 2.5-6.9-0.1q-15.2-15.6-30.7-30.8c-2.5-2.4-3.4-4.9-3.4-8.3 0.1-41.3 0.1-82.7 0.1-124 0-3-0.5-5-3.6-6.7-56.8-31-62.8-106.6-11.5-147.2z"></path><path class="b" d="m386.5 220.6c-15.5-13.3-13.1-34.9 4.5-42.8 10.4-4.7 22.9-1.4 29.9 7.8 6.8 8.9 6.6 21.7-0.5 30.5-7.3 8.9-19.4 11.7-29.7 6.9-1.4-0.6-2.6-1.4-4.2-2.4z"></path></svg>		
+		<svg version="1.2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 489 475" width="16" height="16"><%= style_tag nonce: true do %>.a{fill:var(--cultured)}.b{fill:var(--winter-sky)}<% end %><path class="a" d="m326 348c0 37.2-0.1 73.8 0.1 110.5 0 3.6-0.8 4.6-4.6 4.6q-157.9-0.2-315.9 0c-3.4 0-4.8-0.4-4.7-4.5 0.7-20.8-1.3-41.7 1-62.4 5-43 25.1-77.7 59.7-103.7 26.6-20 56.8-29.7 90.3-29.5 25.9 0.1 51.9-0.1 77.9 0 19.1 0.1 37.2 4.5 54.8 11.8 2 0.9 3.1 2.1 4 4 8.3 17.2 19.7 32 34.6 43.9 2 1.6 2.9 3.2 2.9 5.8-0.2 6.3-0.1 12.7-0.1 19.5z"></path><path class="a" d="m300.9 104.4c1.7 48.7-17.9 85.7-60.6 108.4-67.8 36-150.6-6-163.1-81.8-10.3-62.5 34.5-122.4 97.2-129.9 60.6-7.2 115.4 33.8 125.4 93.9 0.5 2.9 0.7 5.9 1.1 9.4z"></path><path class="a" d="m348.4 155.3c34.5-24.2 77.3-23.1 108.5 2.7 48.9 40.4 39.7 118-17.3 146-2.1 1-4.1 2-7.1 3.4 9.4 9.2 18.4 18.3 27.6 27 3.1 2.8 3 4.4 0 7.2-10.5 10.2-20.7 20.8-31.2 31-2.2 2.2-2.5 3.3-0.1 5.7 10.7 10.4 21.2 21.2 31.9 31.7 2.6 2.5 2.3 3.8-0.1 6.1-18.8 18.7-37.6 37.4-56.2 56.3-2.8 2.8-4.3 2.5-6.9-0.1q-15.2-15.6-30.7-30.8c-2.5-2.4-3.4-4.9-3.4-8.3 0.1-41.3 0.1-82.7 0.1-124 0-3-0.5-5-3.6-6.7-56.8-31-62.8-106.6-11.5-147.2z"></path><path class="b" d="m386.5 220.6c-15.5-13.3-13.1-34.9 4.5-42.8 10.4-4.7 22.9-1.4 29.9 7.8 6.8 8.9 6.6 21.7-0.5 30.5-7.3 8.9-19.4 11.7-29.7 6.9-1.4-0.6-2.6-1.4-4.2-2.4z"></path></svg>		
 		Login with a Passkey
 	</button>
 	<div style="transform: scale(0.9);" >
@@ -24,7 +24,7 @@
 	</div>
 </section>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		padding-top: 4rem;
@@ -79,4 +79,4 @@
 		align-items: center;
 		text-align: center;
 	}
-</style>
+<% end %>
diff --git a/app/views/developers/applications/index.html.erb b/app/views/developers/applications/index.html.erb
@@ -40,10 +40,10 @@
 
 </div>
 
-<style>
+<%= style_tag nonce: true do %>
   input[type=text] {
     min-width: unset;
     color: var(--bg) !important;
     border-color: var(--bg) !important;
   }
-</style>
+<% end %>
diff --git a/app/views/developers/applications/request.html.erb b/app/views/developers/applications/request.html.erb
@@ -25,7 +25,7 @@
 <% end %>
 
 
-<style>
+<%= style_tag nonce: true do %>
     form {
         max-width: 50vw;
     }
@@ -51,4 +51,4 @@
     a {
         color: var(--winter-sky);
     }
-</style>
+<% end %>
diff --git a/app/views/developers/applications/show.html.erb b/app/views/developers/applications/show.html.erb
@@ -163,7 +163,7 @@
     </div>
 </div>
 
-<style>
+<%= style_tag nonce: true do %>
   html {
     scroll-behavior: smooth !important;
   }
@@ -298,4 +298,4 @@
     background-color: rgba(255,0,0,0.1);
     border-color: var(--winter-sky);
   }
-</style>
+<% end %>
diff --git a/app/views/device_authorizations/approve.html.erb b/app/views/device_authorizations/approve.html.erb
@@ -29,7 +29,7 @@
   </section>
 </main>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		padding-top: 4rem;
@@ -112,4 +112,4 @@
     background-color: var(--bg) !important;
     border: 2px solid var(--winter-sky);
   }
-</style>
+<% end %>
diff --git a/app/views/device_authorizations/index.html.erb b/app/views/device_authorizations/index.html.erb
@@ -15,7 +15,7 @@
   </section>
 </main>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		padding-top: 4rem;
@@ -98,4 +98,4 @@
     background-color: var(--bg) !important;
     border: 2px solid var(--winter-sky);
   }
-</style>
+<% end %>
diff --git a/app/views/device_authorizations/success.html.erb b/app/views/device_authorizations/success.html.erb
@@ -7,7 +7,7 @@
     </h2>
 </main>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		padding-top: 4rem;
@@ -90,4 +90,4 @@
     background-color: var(--bg) !important;
     border: 2px solid var(--winter-sky);
   }
-</style>
+<% end %>
diff --git a/app/views/domains/index.html.erb b/app/views/domains/index.html.erb
@@ -37,7 +37,7 @@
 
 </div>
 
-<style>
+<%= style_tag nonce: true do %>
   input[type=text] {
     min-width: unset;
     color: var(--bg) !important;
@@ -52,4 +52,4 @@
   .developers:hover {
     transform: translateX(1rem);
   }
-</style>
+<% end %>
diff --git a/app/views/domains/request_domain.html.erb b/app/views/domains/request_domain.html.erb
@@ -21,7 +21,7 @@
 <% end %>
 
 
-<style>
+<%= style_tag nonce: true do %>
     form {
         max-width: 50vw;
     }
@@ -47,4 +47,4 @@
     a {
         color: var(--winter-sky);
     }
-</style>
+<% end %>
diff --git a/app/views/doorkeeper/authorizations/new.html.erb b/app/views/doorkeeper/authorizations/new.html.erb
@@ -47,7 +47,7 @@
   </section>
 </main>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		padding-top: 4rem;
@@ -130,4 +130,4 @@
     background-color: var(--bg) !important;
     border: 2px solid var(--winter-sky);
   }
-</style>
+<% end %>
diff --git a/app/views/layouts/admin.html.erb b/app/views/layouts/admin.html.erb
@@ -36,7 +36,7 @@
     <%= yield_nested %>
 </div>
 
-<script>
+<%= javascript_tag nonce: true do %>
       window.ReboundSettings = {
         publicToken: "kjvsdcjhut7bw8ny8t63nh",
         email: "<%= @_current_user.email %>",
@@ -46,13 +46,13 @@
         actionLabel: "Update email",
         actionUrl: "https://admin.obl.ong/settings",
       }
-</script>
-<script>(function(r,e,b,o,u,n,d){if(r.Rebound)return;d=function(){o="script";u=e.createElement(o);u.type="text/javascript";u.src=b;u.async=true;n=e.getElementsByTagName(o)[0];n.parentNode.insertBefore(u,n)};if(r.attachEvent){r.attachEvent("onload",d)}else{r.addEventListener("load",d,false)}})(window,document,"https://rebound.postmarkapp.com/widget/1.0");</script>
+<% end %>
+<%= javascript_tag nonce: true do %>(function(r,e,b,o,u,n,d){if(r.Rebound)return;d=function(){o="script";u=e.createElement(o);u.type="text/javascript";u.src=b;u.async=true;n=e.getElementsByTagName(o)[0];n.parentNode.insertBefore(u,n)};if(r.attachEvent){r.attachEvent("onload",d)}else{r.addEventListener("load",d,false)}})(window,document,"https://rebound.postmarkapp.com/widget/1.0");<% end %>
 
 <% if @developers %>
-    <style>
+    <%= style_tag nonce: true do %>
         body {
             border: 4px dashed var(--lemon-glacier);
         }
-    </style>
+    <% end %>
 <% end %>
diff --git a/app/views/layouts/mailer.html.erb b/app/views/layouts/mailer.html.erb
@@ -2,9 +2,9 @@
 <html>
   <head>
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-    <style>
+    <%= style_tag nonce: true do %>
       /* Email styles need to be inline */
-    </style>
+    <% end %>
   </head>
 
   <body>

diff --git a/app/views/users/email_verification.html.erb b/app/views/users/email_verification.html.erb
@@ -18,7 +18,7 @@
     </div>
 </section>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		display: flex;
@@ -80,4 +80,4 @@
 	label {
 		text-align: left;
 	}
-</style>
+<% end %>
diff --git a/app/views/users/register.html.erb b/app/views/users/register.html.erb
@@ -24,7 +24,7 @@
 	</div>
 </section>
 
-<style>
+<%= style_tag nonce: true do %>
 	main {
 		padding: 5rem;
 		display: flex;
@@ -86,4 +86,4 @@
 	label {
 		text-align: left;
 	}
-</style>
+<% end %>
diff --git a/app/views/users/settings.html.erb b/app/views/users/settings.html.erb
@@ -53,11 +53,11 @@
     </section>
 </main>
 
-<style>
+<%= style_tag nonce: true do %>
     .logout-box {
         padding: 1rem;
         border-radius: 6px;
         border: 3px solid var(--winter-sky);
         background-color: #562132;
     }
-</style>
+<% end %>