discourse/lib/content_security_policy/middleware.rb

# frozen_string_literal: true
require_dependency 'content_security_policy'

class ContentSecurityPolicy
  class Middleware
    def initialize(app)
      @app = app
    end

    def call(env)
      request = Rack::Request.new(env)
      _, headers, _ = response = @app.call(env)

      return response unless html_response?(headers)

      # The EnforceHostname middleware ensures request.host_with_port can be trusted
      protocol = (SiteSetting.force_https || request.ssl?) ? "https://" : "http://"
      base_url = protocol + request.host_with_port + Discourse.base_uri

      theme_ids = env[:resolved_theme_ids]

      headers['Content-Security-Policy'] = policy(theme_ids, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy
      headers['Content-Security-Policy-Report-Only'] = policy(theme_ids, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy_report_only

      response
    end

    private

    delegate :policy, to: :ContentSecurityPolicy

    def html_response?(headers)
      headers['Content-Type'] && headers['Content-Type'] =~ /html/
    end
  end
end
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 09:51:45 -05:00			`# frozen_string_literal: true`
			`require_dependency 'content_security_policy'`

			`class ContentSecurityPolicy`
			`class Middleware`
			`def initialize(app)`
			`@app = app`
			`end`

			`def call(env)`
			`request = Rack::Request.new(env)`
			`_, headers, _ = response = @app.call(env)`

			`return response unless html_response?(headers)`
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 15:54:42 -04:00
			`# The EnforceHostname middleware ensures request.host_with_port can be trusted`
			`protocol = (SiteSetting.force_https \|\| request.ssl?) ? "https://" : "http://"`
			`base_url = protocol + request.host_with_port + Discourse.base_uri`
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 09:51:45 -05:00
FEATURE: Calculate CSP based on active themes (#6976) 2019-02-11 07:32:04 -05:00			`theme_ids = env[:resolved_theme_ids]`
DEV: Remove unsafe-eval from development CSP (#8569) - Refactor source_url to avoid using eval in development - Precompile handlebars in development - Include template compilers when running qunit - Remove unsafe-eval in development CSP - Include unsafe-eval only for qunit routes in development 2019-12-30 07:17:12 -05:00
FIX: Allow CSP to work correctly for non-default hostnames/schemes (#9180) - Define the CSP based on the requested domain / scheme (respecting force_https) - Update EnforceHostname middleware to allow secondary domains, add specs - Add URL scheme to anon cache key so that CSP headers are cached correctly 2020-03-19 15:54:42 -04:00			`headers['Content-Security-Policy'] = policy(theme_ids, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy`
			`headers['Content-Security-Policy-Report-Only'] = policy(theme_ids, base_url: base_url, path_info: env["PATH_INFO"]) if SiteSetting.content_security_policy_report_only`
FEATURE: allow plugins and themes to extend the default CSP (#6704) * FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/\|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now 2018-11-30 09:51:45 -05:00
			`response`
			`end`

			`private`

			`delegate :policy, to: :ContentSecurityPolicy`

			`def html_response?(headers)`
			`headers['Content-Type'] && headers['Content-Type'] =~ /html/`
			`end`
			`end`
			`end`