FEATURE: allow plugins and themes to extend the default CSP (#6704)

* FEATURE: allow plugins and themes to extend the default CSP For plugins: ``` extend_content_security_policy( script_src: ['https://domain.com/script.js', 'https://your-cdn.com/'], style_src: ['https://domain.com/style.css'] ) ``` For themes and components: ``` extend_content_security_policy: type: list default: "script_src:https://domain.com/|style_src:https://domain.com" ``` * clear CSP base url before each test we have a test that stubs `Rails.env.development?` to true * Only allow extending directives that core includes, for now
2025-02-25 18:55:32 -06:00 · 2018-11-30 09:51:45 -05:00
parent 7dec963f2e
commit 488fba3c5f
13 changed files with 384 additions and 114 deletions
--- a/lib/content_security_policy/default.rb
+++ b/lib/content_security_policy/default.rb
@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+require_dependency 'content_security_policy'
+
+class ContentSecurityPolicy
+  class Default
+    attr_reader :directives
+
+    def initialize
+      @directives = {}.tap do |directives|
+        directives[:script_src] = script_src
+        directives[:worker_src] = worker_src
+        directives[:report_uri] = report_uri if SiteSetting.content_security_policy_collect_reports
+      end
+    end
+
+    private
+
+    delegate :base_url, to: :ContentSecurityPolicy
+
+    SCRIPT_ASSET_DIRECTORIES = [
+      # [dir, can_use_s3_cdn, can_use_cdn]
+      ['/assets/',             true, true],
+      ['/brotli_asset/',       true, true],
+      ['/extra-locales/',      false, false],
+      ['/highlight-js/',       false, true],
+      ['/javascripts/',        false, true],
+      ['/plugins/',            false, true],
+      ['/theme-javascripts/',  false, true],
+      ['/svg-sprite/',         false, true],
+    ]
+
+    def script_assets(base = base_url, s3_cdn = GlobalSetting.s3_cdn_url, cdn = GlobalSetting.cdn_url)
+      SCRIPT_ASSET_DIRECTORIES.map do |dir, can_use_s3_cdn, can_use_cdn|
+        if can_use_s3_cdn && s3_cdn
+          s3_cdn + dir
+        elsif can_use_cdn && cdn
+          cdn + dir
+        else
+          base + dir
+        end
+      end
+    end
+
+    def script_src
+      [
+        :unsafe_eval,
+        "#{base_url}/logs/",
+        "#{base_url}/sidekiq/",
+        "#{base_url}/mini-profiler-resources/",
+        *script_assets
+      ].tap do |sources|
+        sources << 'https://www.google-analytics.com' if SiteSetting.ga_universal_tracking_code.present?
+        sources << 'https://www.googletagmanager.com' if SiteSetting.gtm_container_id.present?
+      end
+    end
+
+    def worker_src
+      [
+        :self,
+        :blob, # ACE editor registers a service worker with a blob for syntax checking
+      ]
+    end
+
+    def report_uri
+      "#{base_url}/csp_reports"
+    end
+  end
+end