discourse/lib/content_security_policy.rb

# frozen_string_literal: true
require_dependency 'global_path'

class ContentSecurityPolicy
  include GlobalPath

  class Middleware
    WHITELISTED_PATHS = %w(
      /logs
    )

    def initialize(app)
      @app = app
    end

    def call(env)
      request = Rack::Request.new(env)
      _, headers, _ = response = @app.call(env)

      return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
      return response if whitelisted?(request.path)

      policy = ContentSecurityPolicy.new.build
      headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
      headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only

      response
    end

    private

    def html_response?(headers)
      headers['Content-Type'] && headers['Content-Type'] =~ /html/
    end

    def whitelisted?(path)
      if GlobalSetting.relative_url_root
        path.slice!(/^#{Regexp.quote(GlobalSetting.relative_url_root)}/)
      end

      WHITELISTED_PATHS.any? { |whitelisted| path.start_with?(whitelisted) }
    end
  end

  def self.enabled?
    SiteSetting.content_security_policy || SiteSetting.content_security_policy_report_only
  end

  def initialize
    @directives = {
      script_src: script_src,
    }

    @directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
  end

  def build
    policy = ActionDispatch::ContentSecurityPolicy.new

    @directives.each do |directive, sources|
      if sources.is_a?(Array)
        policy.public_send(directive, *sources)
      else
        policy.public_send(directive, sources)
      end
    end

    policy.build
  end

  private

  def script_src
    sources = [:self, :unsafe_eval]

    sources << :https if SiteSetting.force_https
    sources << Discourse.asset_host if Discourse.asset_host.present?
    sources << 'www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
    sources << 'www.googletagmanager.com' if SiteSetting.gtm_container_id.present?

    sources.concat(SiteSetting.content_security_policy_script_src.split('|'))
  end
end
FEATURE: [Experimental] Content Security Policy (#6514) do not register new MIME type, parse raw body instead 2018-10-22 13:22:23 -04:00			`# frozen_string_literal: true`
			`require_dependency 'global_path'`

			`class ContentSecurityPolicy`
			`include GlobalPath`

			`class Middleware`
			`WHITELISTED_PATHS = %w(`
			`/logs`
			`)`

			`def initialize(app)`
			`@app = app`
			`end`

			`def call(env)`
			`request = Rack::Request.new(env)`
			`_, headers, _ = response = @app.call(env)`

			`return response unless html_response?(headers) && ContentSecurityPolicy.enabled?`
			`return response if whitelisted?(request.path)`

			`policy = ContentSecurityPolicy.new.build`
			`headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy`
			`headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only`

			`response`
			`end`

			`private`

			`def html_response?(headers)`
			`headers['Content-Type'] && headers['Content-Type'] =~ /html/`
			`end`

			`def whitelisted?(path)`
			`if GlobalSetting.relative_url_root`
			`path.slice!(/^#{Regexp.quote(GlobalSetting.relative_url_root)}/)`
			`end`

			`WHITELISTED_PATHS.any? { \|whitelisted\| path.start_with?(whitelisted) }`
			`end`
			`end`

			`def self.enabled?`
			`SiteSetting.content_security_policy \|\| SiteSetting.content_security_policy_report_only`
			`end`

			`def initialize`
			`@directives = {`
			`script_src: script_src,`
			`}`

			`@directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports`
			`end`

			`def build`
			`policy = ActionDispatch::ContentSecurityPolicy.new`

			`@directives.each do \|directive, sources\|`
			`if sources.is_a?(Array)`
			`policy.public_send(directive, *sources)`
			`else`
			`policy.public_send(directive, sources)`
			`end`
			`end`

			`policy.build`
			`end`

			`private`

			`def script_src`
			`sources = [:self, :unsafe_eval]`

			`sources << :https if SiteSetting.force_https`
			`sources << Discourse.asset_host if Discourse.asset_host.present?`
			`sources << 'www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?`
			`sources << 'www.googletagmanager.com' if SiteSetting.gtm_container_id.present?`

			`sources.concat(SiteSetting.content_security_policy_script_src.split('\|'))`
			`end`
			`end`