mastodon/config/initializers/content_security_policy.rb

# frozen_string_literal: true

# Define an application-wide content security policy
# For further information see the following documentation
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

def host_to_url(str)
  "http#{Rails.configuration.x.use_https ? 's' : ''}://#{str.split('/').first}" if str.present?
end

base_host = Rails.configuration.x.web_domain

assets_host   = Rails.configuration.action_controller.asset_host
assets_host ||= host_to_url(base_host)

media_host   = host_to_url(ENV['S3_ALIAS_HOST'])
media_host ||= host_to_url(ENV['S3_CLOUDFRONT_HOST'])
media_host ||= host_to_url(ENV['AZURE_ALIAS_HOST'])
media_host ||= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'
media_host ||= assets_host

def sso_host
  return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'
  return unless ENV['OMNIAUTH_ONLY'] == 'true'
  return unless Devise.omniauth_providers.length == 1

  provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
  @sso_host ||= begin
    case provider.provider
    when :cas
      provider.cas_url
    when :saml
      provider.options[:idp_sso_target_url]
    when :openid_connect
      provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint
    end
  end
end

Rails.application.config.content_security_policy do |p|
  p.base_uri        :none
  p.default_src     :none
  p.frame_ancestors :none
  p.font_src        :self, assets_host
  p.img_src         :self, :https, :data, :blob, assets_host
  p.style_src       :self, assets_host
  p.media_src       :self, :https, :data, assets_host
  p.frame_src       :self, :https
  p.manifest_src    :self, assets_host

  if sso_host.present?
    p.form_action     :self, sso_host
  else
    p.form_action     :self
  end

  p.child_src       :self, :blob, assets_host
  p.worker_src      :self, :blob, assets_host

  if Rails.env.development?
    webpacker_public_host = ENV.fetch('WEBPACKER_DEV_SERVER_PUBLIC', Webpacker.config.dev_server[:public])
    webpacker_urls = %w(ws http).map { |protocol| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{webpacker_public_host}" }

    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls
    p.script_src  :self, :unsafe_inline, :unsafe_eval, assets_host
  else
    p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url
    p.script_src  :self, assets_host, "'wasm-unsafe-eval'"
  end
end

# Report CSP violations to a specified URI
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# Rails.application.config.content_security_policy_report_only = true

Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }

Rails.application.config.content_security_policy_nonce_directives = %w(style-src)

Rails.application.reloader.to_prepare do
  PgHero::HomeController.content_security_policy do |p|
    p.script_src :self, :unsafe_inline, assets_host
    p.style_src  :self, :unsafe_inline, assets_host
  end

  PgHero::HomeController.after_action do
    request.content_security_policy_nonce_generator = nil
  end

  if Rails.env.development?
    LetterOpenerWeb::LettersController.content_security_policy do |p|
      p.child_src       :self
      p.connect_src     :none
      p.frame_ancestors :self
      p.frame_src       :self
      p.script_src      :unsafe_inline
      p.style_src       :unsafe_inline
      p.worker_src      :none
    end

    LetterOpenerWeb::LettersController.after_action do |p|
      request.content_security_policy_nonce_directives = %w(script-src)
    end
  end
end
Enable Rubocop Style/FrozenStringLiteralComment (#23793) 2023-07-12 07:47:08 +00:00			`# frozen_string_literal: true`

Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 12:45:17 +00:00			`# Define an application-wide content security policy`
			`# For further information see the following documentation`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy`

Fix media host not being included in connect-src for OCR (#11577) 2019-08-15 23:54:36 +00:00			`def host_to_url(str)`
Fix CSP headers being unintendedly wide (#26105) 2023-07-21 11:34:15 +00:00			`"http#{Rails.configuration.x.use_https ? 's' : ''}://#{str.split('/').first}" if str.present?`
Fix media host not being included in connect-src for OCR (#11577) 2019-08-15 23:54:36 +00:00			`end`

			`base_host = Rails.configuration.x.web_domain`

Fix CSP headers blocking media and development environment (#8962) Regression from #8957 2018-10-11 23:43:09 +00:00			`assets_host = Rails.configuration.action_controller.asset_host`
Fix media host not being included in connect-src for OCR (#11577) 2019-08-15 23:54:36 +00:00			`assets_host \|\|= host_to_url(base_host)`

			`media_host = host_to_url(ENV['S3_ALIAS_HOST'])`
			`media_host \|\|= host_to_url(ENV['S3_CLOUDFRONT_HOST'])`
Paperclip: add support for Azure blob storage (#23607) 2023-07-19 07:02:49 +00:00			`media_host \|\|= host_to_url(ENV['AZURE_ALIAS_HOST'])`
Fix media host not being included in connect-src for OCR (#11577) 2019-08-15 23:54:36 +00:00			`media_host \|\|= host_to_url(ENV['S3_HOSTNAME']) if ENV['S3_ENABLED'] == 'true'`
			`media_host \|\|= assets_host`
Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames 2018-10-11 18:35:46 +00:00
Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857) 2023-09-12 11:04:51 +00:00			`def sso_host`
			`return unless ENV['ONE_CLICK_SSO_LOGIN'] == 'true'`
			`return unless ENV['OMNIAUTH_ONLY'] == 'true'`
			`return unless Devise.omniauth_providers.length == 1`

			`provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]`
			`@sso_host \|\|= begin`
Fix CSP when using `ONE_CLICK_SSO_LOGIN` (#26901) 2023-09-13 17:54:04 +00:00			`case provider.provider`
			`when :cas`
			`provider.cas_url`
			`when :saml`
			`provider.options[:idp_sso_target_url]`
			`when :openid_connect`
			`provider.options.dig(:client_options, :authorization_endpoint) \|\| OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint`
			`end`
Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857) 2023-09-12 11:04:51 +00:00			`end`
			`end`

Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames 2018-10-11 18:35:46 +00:00			`Rails.application.config.content_security_policy do \|p\|`
			`p.base_uri :none`
			`p.default_src :none`
			`p.frame_ancestors :none`
			`p.font_src :self, assets_host`
Fix CSP headers blocking media and development environment (#8962) Regression from #8957 2018-10-11 23:43:09 +00:00			`p.img_src :self, :https, :data, :blob, assets_host`
Remove 'unsafe-inline' from Content-Security-Policy style-src (#13679) * Make sure wicg-inert doesn't rely on inline CSS * Remove unsafe-inline from style-src 2020-05-08 19:22:57 +00:00			`p.style_src :self, assets_host`
Fix CSP headers blocking media and development environment (#8962) Regression from #8957 2018-10-11 23:43:09 +00:00			`p.media_src :self, :https, :data, assets_host`
Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames 2018-10-11 18:35:46 +00:00			`p.frame_src :self, :https`
Add manifest_src to CSP, add blob to connect_src (#8967) 2018-10-12 17:07:30 +00:00			`p.manifest_src :self, assets_host`
Fix #26849 by adding the domain of the current SSO provider to the form-action CSP (#26857) 2023-09-12 11:04:51 +00:00
			`if sso_host.present?`
			`p.form_action :self, sso_host`
			`else`
			`p.form_action :self`
			`end`

Autofix Rubocop Style/IdenticalConditionalBranches (#24322) 2023-03-31 07:33:52 +00:00			`p.child_src :self, :blob, assets_host`
			`p.worker_src :self, :blob, assets_host`
Fix CSP headers blocking media and development environment (#8962) Regression from #8957 2018-10-11 23:43:09 +00:00
			`if Rails.env.development?`
Support webpacker live-reloading on Docker (#26419) 2023-08-29 08:17:57 +00:00			`webpacker_public_host = ENV.fetch('WEBPACKER_DEV_SERVER_PUBLIC', Webpacker.config.dev_server[:public])`
			`webpacker_urls = %w(ws http).map { \|protocol\| "#{protocol}#{Webpacker.dev_server.https? ? 's' : ''}://#{webpacker_public_host}" }`
Fix CSP headers blocking media and development environment (#8962) Regression from #8957 2018-10-11 23:43:09 +00:00
Fix media host not being included in connect-src for OCR (#11577) 2019-08-15 23:54:36 +00:00			`p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url, *webpacker_urls`
Fix CSP needlessly allowing blob URLs in script-src (#11620) 2019-08-19 18:36:58 +00:00			`p.script_src :self, :unsafe_inline, :unsafe_eval, assets_host`
Fix CSP headers blocking media and development environment (#8962) Regression from #8957 2018-10-11 23:43:09 +00:00			`else`
Fix media host not being included in connect-src for OCR (#11577) 2019-08-15 23:54:36 +00:00			`p.connect_src :self, :data, :blob, assets_host, media_host, Rails.configuration.x.streaming_api_base_url`
Fix wrong directive `unsafe-wasm-eval` to `wasm-unsafe-eval` (#20729) 2022-11-15 02:39:06 +00:00			`p.script_src :self, assets_host, "'wasm-unsafe-eval'"`
Fix CSP headers blocking media and development environment (#8962) Regression from #8957 2018-10-11 23:43:09 +00:00			`end`
Set Content-Security-Policy rules through RoR's config (#8957) * Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames 2018-10-11 18:35:46 +00:00			`end`
Upgrade Rails to version 5.2.0 (#5898) 2018-04-12 12:45:17 +00:00
			`# Report CSP violations to a specified URI`
			`# For further information see the following documentation:`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only`
			`# Rails.application.config.content_security_policy_report_only = true`
Fix PgHero Content-Security-Policy when CDN_HOST is used (#13595) 2020-05-04 11:52:41 +00:00
Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select 2020-07-06 23:33:38 +00:00			`Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }`

Update Mastodon to Rails 6.1 (#15910) * Update devise-two-factor to unreleased fork for Rails 6 support Update tests to match new `rotp` version. * Update nsa gem to unreleased fork for Rails 6 support * Update rails to 6.1.3 and rails-i18n to 6.0 * Update to unreleased fork of pluck_each for Ruby 6 support * Run "rails app:update" * Add missing ActiveStorage config file * Use config.ssl_options instead of removed ApplicationController#force_ssl Disabled force_ssl-related tests as they do not seem to be easily testable anymore. * Fix nonce directives by removing Rails 5 specific monkey-patching * Fix fixture_file_upload deprecation warning * Fix yield-based test failing with Rails 6 * Use Rails 6's index_with when possible * Use ActiveRecord::Cache::Store#delete_multi from Rails 6 This will yield better performances when deleting an account * Disable Rails 6.1's automatic preload link headers Since Rails 6.1, ActionView adds preload links for javascript files in the Links header per default. In our case, that will bloat headers too much and potentially cause issues with reverse proxies. Furhermore, we don't need those links, as we already output them as HTML link tags. * Switch to Rails 6.0 default config * Switch to Rails 6.1 default config * Do not include autoload paths in the load path 2021-03-24 09:44:31 +00:00			`Rails.application.config.content_security_policy_nonce_directives = %w(style-src)`
Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select 2020-07-06 23:33:38 +00:00
Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 00:31:20 +00:00			`Rails.application.reloader.to_prepare do`
			`PgHero::HomeController.content_security_policy do \|p\|`
			`p.script_src :self, :unsafe_inline, assets_host`
			`p.style_src :self, :unsafe_inline, assets_host`
			`end`
Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select 2020-07-06 23:33:38 +00:00
Fix autoloading deprecation warnings from Rails 6 (#16010) 2021-04-09 00:31:20 +00:00			`PgHero::HomeController.after_action do`
			`request.content_security_policy_nonce_generator = nil`
			`end`
Fix LetterOpennerWeb CSP (#17770) 2022-03-14 18:20:40 +00:00
			`if Rails.env.development?`
			`LetterOpenerWeb::LettersController.content_security_policy do \|p\|`
			`p.child_src :self`
			`p.connect_src :none`
			`p.frame_ancestors :self`
			`p.frame_src :self`
			`p.script_src :unsafe_inline`
			`p.style_src :unsafe_inline`
			`p.worker_src :none`
			`end`

			`LetterOpenerWeb::LettersController.after_action do \|p\|`
			`request.content_security_policy_nonce_directives = %w(script-src)`
			`end`
			`end`
Fix hashtag column options styling (#14247) * Enable nonces for stylesheets * Pass nonce to react-select 2020-07-06 23:33:38 +00:00			`end`