From bc151f5eb0a2167ba37312954bd758d5fb7465d4 Mon Sep 17 00:00:00 2001 From: Bart de Water <118401830+bdewater-thatch@users.noreply.github.com> Date: Wed, 22 Feb 2023 16:07:42 -0500 Subject: [PATCH] Stricter CSP for override_csp This CSP has been working for us in production without warnings for a few months, and actually locks things down compared to the previous one. --- app/controllers/blazer/base_controller.rb | 21 ++++++++++++++++--- app/views/blazer/_variables.html.erb | 8 +++---- app/views/blazer/checks/_form.html.erb | 8 +++---- app/views/blazer/checks/index.html.erb | 2 +- app/views/blazer/dashboards/_form.html.erb | 2 +- app/views/blazer/dashboards/show.html.erb | 2 +- app/views/blazer/queries/_form.html.erb | 2 +- app/views/blazer/queries/home.html.erb | 2 +- app/views/blazer/queries/run.html.erb | 4 ++-- app/views/blazer/queries/schema.html.erb | 2 +- app/views/blazer/queries/show.html.erb | 4 ++-- app/views/blazer/uploads/index.html.erb | 2 +- app/views/layouts/blazer/application.html.erb | 8 +++---- 13 files changed, 41 insertions(+), 26 deletions(-) diff --git a/app/controllers/blazer/base_controller.rb b/app/controllers/blazer/base_controller.rb index 9d7253aae..925ddeee0 100644 --- a/app/controllers/blazer/base_controller.rb +++ b/app/controllers/blazer/base_controller.rb @@ -23,9 +23,7 @@ class BaseController < ApplicationController end if Blazer.override_csp - after_action do - response.headers['Content-Security-Policy'] = "default-src 'self' https: 'unsafe-inline' 'unsafe-eval' data: blob:" - end + after_action :override_csp end layout "blazer/application" @@ -129,5 +127,22 @@ def render_errors(resource) def default_url_options {} end + + def override_csp + script_nonce = content_security_policy_nonce || raise(Blazer::Error, "couldn't find nonce for script-src") + + response.headers['Content-Security-Policy'] = <<~CSP.squish + default-src 'self'; + base-uri 'none'; + img-src 'self' #{Rails.configuration.asset_host} data: blob:; + script-src 'self' 'nonce-#{script_nonce}' 'strict-dynamic' 'unsafe-eval' https: 'report-sample'; + style-src 'self' #{Rails.configuration.asset_host} 'unsafe-inline' 'report-sample'; + object-src 'none'; + connect-src 'self' #{"https://*.tiles.mapbox.com https://api.mapbox.com https://events.mapbox.com" if Blazer.maps?}; + child-src blob:; + worker-src blob: ; + form-action 'self'; + CSP + end end end diff --git a/app/views/blazer/_variables.html.erb b/app/views/blazer/_variables.html.erb index a2bc8df1f..349f43115 100644 --- a/app/views/blazer/_variables.html.erb +++ b/app/views/blazer/_variables.html.erb @@ -1,6 +1,6 @@ <% if @bind_vars.any? %> <% var_params = request.query_parameters %> - @@ -38,7 +38,7 @@