discourse/lib/content_security_policy.rb

84 lines
2.1 KiB
Ruby

# frozen_string_literal: true
require_dependency 'global_path'
class ContentSecurityPolicy
include GlobalPath
class Middleware
WHITELISTED_PATHS = %w(
/logs
)
def initialize(app)
@app = app
end
def call(env)
request = Rack::Request.new(env)
_, headers, _ = response = @app.call(env)
return response unless html_response?(headers) && ContentSecurityPolicy.enabled?
return response if whitelisted?(request.path)
policy = ContentSecurityPolicy.new.build
headers['Content-Security-Policy'] = policy if SiteSetting.content_security_policy
headers['Content-Security-Policy-Report-Only'] = policy if SiteSetting.content_security_policy_report_only
response
end
private
def html_response?(headers)
headers['Content-Type'] && headers['Content-Type'] =~ /html/
end
def whitelisted?(path)
if GlobalSetting.relative_url_root
path.slice!(/^#{Regexp.quote(GlobalSetting.relative_url_root)}/)
end
WHITELISTED_PATHS.any? { |whitelisted| path.start_with?(whitelisted) }
end
end
def self.enabled?
SiteSetting.content_security_policy || SiteSetting.content_security_policy_report_only
end
def initialize
@directives = {
script_src: script_src,
}
@directives[:report_uri] = path('/csp_reports') if SiteSetting.content_security_policy_collect_reports
end
def build
policy = ActionDispatch::ContentSecurityPolicy.new
@directives.each do |directive, sources|
if sources.is_a?(Array)
policy.public_send(directive, *sources)
else
policy.public_send(directive, sources)
end
end
policy.build
end
private
def script_src
sources = [:self, :unsafe_eval]
sources << :https if SiteSetting.force_https
sources << Discourse.asset_host if Discourse.asset_host.present?
sources << 'www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
sources << 'www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
sources.concat(SiteSetting.content_security_policy_script_src.split('|'))
end
end