2018-11-30 08:51:45 -06:00
|
|
|
# frozen_string_literal: true
|
2023-01-09 06:10:19 -06:00
|
|
|
require "content_security_policy"
|
2018-11-30 08:51:45 -06:00
|
|
|
|
|
|
|
class ContentSecurityPolicy
|
|
|
|
class Middleware
|
|
|
|
def initialize(app)
|
|
|
|
@app = app
|
|
|
|
end
|
|
|
|
|
|
|
|
def call(env)
|
|
|
|
request = Rack::Request.new(env)
|
|
|
|
_, headers, _ = response = @app.call(env)
|
|
|
|
|
|
|
|
return response unless html_response?(headers)
|
2020-03-19 14:54:42 -05:00
|
|
|
|
|
|
|
# The EnforceHostname middleware ensures request.host_with_port can be trusted
|
|
|
|
protocol = (SiteSetting.force_https || request.ssl?) ? "https://" : "http://"
|
2020-10-09 06:51:24 -05:00
|
|
|
base_url = protocol + request.host_with_port + Discourse.base_path
|
2018-11-30 08:51:45 -06:00
|
|
|
|
2021-06-15 01:57:17 -05:00
|
|
|
theme_id = env[:resolved_theme_id]
|
2019-12-30 06:17:12 -06:00
|
|
|
|
2023-01-09 06:10:19 -06:00
|
|
|
headers["Content-Security-Policy"] = policy(
|
|
|
|
theme_id,
|
|
|
|
base_url: base_url,
|
|
|
|
path_info: env["PATH_INFO"],
|
|
|
|
) if SiteSetting.content_security_policy
|
|
|
|
headers["Content-Security-Policy-Report-Only"] = policy(
|
|
|
|
theme_id,
|
|
|
|
base_url: base_url,
|
|
|
|
path_info: env["PATH_INFO"],
|
|
|
|
) if SiteSetting.content_security_policy_report_only
|
2018-11-30 08:51:45 -06:00
|
|
|
|
|
|
|
response
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
delegate :policy, to: :ContentSecurityPolicy
|
|
|
|
|
|
|
|
def html_response?(headers)
|
2023-01-09 06:10:19 -06:00
|
|
|
headers["Content-Type"] && headers["Content-Type"] =~ /html/
|
2018-11-30 08:51:45 -06:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|