2018-11-30 09:51:45 -05:00
|
|
|
# frozen_string_literal: true
|
2022-03-21 10:28:52 -04:00
|
|
|
require "content_security_policy"
|
2018-11-30 09:51:45 -05:00
|
|
|
|
|
|
|
class ContentSecurityPolicy
|
|
|
|
class Default
|
|
|
|
attr_reader :directives
|
|
|
|
|
2020-03-19 15:54:42 -04:00
|
|
|
def initialize(base_url:)
|
|
|
|
@base_url = base_url
|
2018-11-30 09:51:45 -05:00
|
|
|
@directives =
|
|
|
|
{}.tap do |directives|
|
2021-06-09 20:53:10 -04:00
|
|
|
directives[:upgrade_insecure_requests] = [] if SiteSetting.force_https
|
2021-07-07 09:43:48 -04:00
|
|
|
directives[:base_uri] = [:self]
|
2019-01-09 15:04:50 -05:00
|
|
|
directives[:object_src] = [:none]
|
2018-11-30 09:51:45 -05:00
|
|
|
directives[:script_src] = script_src
|
|
|
|
directives[:worker_src] = worker_src
|
|
|
|
directives[
|
|
|
|
:report_uri
|
|
|
|
] = report_uri if SiteSetting.content_security_policy_collect_reports
|
2021-03-22 15:00:25 -04:00
|
|
|
directives[:frame_ancestors] = frame_ancestors if restrict_embed?
|
2021-06-08 09:32:31 -04:00
|
|
|
directives[:manifest_src] = ["'self'"]
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
2020-03-19 15:54:42 -04:00
|
|
|
def base_url
|
|
|
|
@base_url
|
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
|
|
|
|
SCRIPT_ASSET_DIRECTORIES = [
|
2020-08-14 07:30:39 -04:00
|
|
|
# [dir, can_use_s3_cdn, can_use_cdn, for_worker]
|
|
|
|
["/assets/", true, true, true],
|
|
|
|
["/brotli_asset/", true, true, true],
|
|
|
|
["/extra-locales/", false, false, false],
|
|
|
|
["/highlight-js/", false, true, false],
|
|
|
|
["/javascripts/", false, true, true],
|
|
|
|
["/plugins/", false, true, true],
|
|
|
|
["/theme-javascripts/", false, true, false],
|
|
|
|
["/svg-sprite/", false, true, false],
|
2018-11-30 09:51:45 -05:00
|
|
|
]
|
|
|
|
|
2022-12-08 05:36:20 -05:00
|
|
|
def script_assets(
|
|
|
|
base = base_url,
|
|
|
|
s3_cdn = GlobalSetting.s3_asset_cdn_url.presence || GlobalSetting.s3_cdn_url,
|
|
|
|
cdn = GlobalSetting.cdn_url,
|
|
|
|
worker: false
|
|
|
|
)
|
2020-08-14 07:30:39 -04:00
|
|
|
SCRIPT_ASSET_DIRECTORIES
|
|
|
|
.map do |dir, can_use_s3_cdn, can_use_cdn, for_worker|
|
|
|
|
next if worker && !for_worker
|
2018-11-30 09:51:45 -05:00
|
|
|
if can_use_s3_cdn && s3_cdn
|
|
|
|
s3_cdn + dir
|
|
|
|
elsif can_use_cdn && cdn
|
2020-10-09 07:51:24 -04:00
|
|
|
cdn + Discourse.base_path + dir
|
2018-11-30 09:51:45 -05:00
|
|
|
else
|
|
|
|
base + dir
|
2023-01-09 07:10:19 -05:00
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
2020-08-14 07:30:39 -04:00
|
|
|
.compact
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
def script_src
|
|
|
|
[
|
|
|
|
"#{base_url}/logs/",
|
|
|
|
"#{base_url}/sidekiq/",
|
|
|
|
"#{base_url}/mini-profiler-resources/",
|
|
|
|
*script_assets,
|
|
|
|
].tap do |sources|
|
2020-04-02 11:16:38 -04:00
|
|
|
sources << :report_sample if SiteSetting.content_security_policy_collect_reports
|
2020-01-24 13:18:03 -05:00
|
|
|
sources << :unsafe_eval if Rails.env.development? # TODO remove this once we have proper source maps in dev
|
2021-04-27 13:55:23 -04:00
|
|
|
|
|
|
|
# Support Ember CLI Live reload
|
|
|
|
if Rails.env.development?
|
|
|
|
sources << "#{base_url}/ember-cli-live-reload.js"
|
|
|
|
sources << "#{base_url}/_lr/"
|
|
|
|
end
|
|
|
|
|
2020-11-06 15:15:36 -05:00
|
|
|
# we need analytics.js still as gtag/js is a script wrapper for it
|
2020-10-13 13:20:41 -04:00
|
|
|
if SiteSetting.ga_universal_tracking_code.present?
|
|
|
|
sources << "https://www.google-analytics.com/analytics.js"
|
2023-01-09 07:10:19 -05:00
|
|
|
end
|
2020-11-06 15:15:36 -05:00
|
|
|
if SiteSetting.ga_universal_tracking_code.present? && SiteSetting.ga_version == "v4_gtag"
|
|
|
|
sources << "https://www.googletagmanager.com/gtag/js"
|
2023-01-09 07:10:19 -05:00
|
|
|
end
|
2021-03-26 11:19:31 -04:00
|
|
|
if SiteSetting.gtm_container_id.present?
|
|
|
|
sources << "https://www.googletagmanager.com/gtm.js"
|
|
|
|
sources << "'nonce-#{ApplicationHelper.google_tag_manager_nonce}'"
|
|
|
|
end
|
2022-06-30 09:22:00 -04:00
|
|
|
|
2022-09-01 04:58:48 -04:00
|
|
|
sources << "'#{SplashScreenHelper.fingerprint}'" if SiteSetting.splash_screen
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def worker_src
|
|
|
|
[
|
2020-08-14 13:15:30 -04:00
|
|
|
"'self'", # For service worker
|
2020-08-14 07:30:39 -04:00
|
|
|
*script_assets(worker: true),
|
2018-11-30 09:51:45 -05:00
|
|
|
]
|
|
|
|
end
|
|
|
|
|
|
|
|
def report_uri
|
|
|
|
"#{base_url}/csp_reports"
|
|
|
|
end
|
2021-03-22 15:00:25 -04:00
|
|
|
|
|
|
|
def frame_ancestors
|
|
|
|
["'self'", *EmbeddableHost.pluck(:host).map { |host| "https://#{host}" }]
|
|
|
|
end
|
|
|
|
|
|
|
|
def restrict_embed?
|
|
|
|
SiteSetting.content_security_policy_frame_ancestors && !SiteSetting.embed_any_origin
|
|
|
|
end
|
2018-11-30 09:51:45 -05:00
|
|
|
end
|
|
|
|
end
|