Unverified Commit 4f6018c7 authored by Benjamin Neff's avatar Benjamin Neff Committed by Dennis Schubert
Browse files

Bump secure_headers 

closes #7151
parent 0dd98a5c

Gemfile

+1 −1
Original line number Diff line number Diff line
@@ -138,7 +138,7 @@ gem "open_graph_reader", "0.6.1" 


# Security Headers



gem "secure_headers", "3.4.1"

gem "secure_headers", "3.5.0"



# Services

Gemfile.lock

+2 −2
Original line number Diff line number Diff line
@@ -778,7 +778,7 @@ GEM 
    scss_lint (0.49.0)

      rake (>= 0.9, < 12)

      sass (~> 3.4.20)

    secure_headers (3.4.1)

    secure_headers (3.5.0)

      useragent

    securecompare (1.0.0)

    shellany (0.0.1)
@@ -1024,7 +1024,7 @@ DEPENDENCIES 
  ruby-oembed (= 0.10.1)

  rubyzip (= 1.2.0)

  sass-rails (= 5.0.6)

  secure_headers (= 3.4.1)

  secure_headers (= 3.5.0)

  shoulda-matchers (= 3.1.1)

  sidekiq (= 4.2.2)

  sidekiq-cron (= 0.4.4)

config/initializers/secure_headers.rb

+15 −24
Original line number Diff line number Diff line 
SecureHeaders::Configuration.default do |config|

  config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL



  config.csp = {

  csp = {

    default_src:     %w('none'),

    child_src:       %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com

                        player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
@@ -19,41 +19,32 @@ SecureHeaders::Configuration.default do |config| 


  if AppConfig.environment.assets.host.present?

    asset_host = Addressable::URI.parse(AppConfig.environment.assets.host.get).host

    config.csp[:script_src] << asset_host

    config.csp[:style_src] << asset_host

    csp[:script_src] << asset_host

    csp[:style_src] << asset_host

  end



  if AppConfig.chat.enabled?

    config.csp[:media_src] << "data:"

    csp[:media_src] << "data:"



    unless AppConfig.chat.server.bosh.proxy?

      config.csp[:connect_src] << "#{AppConfig.pod_uri.host}:#{AppConfig.chat.server.bosh.port}"

      csp[:connect_src] << "#{AppConfig.pod_uri.host}:#{AppConfig.chat.server.bosh.port}"

    end

  end



  if AppConfig.privacy.mixpanel_uid.present?

    config.csp[:script_src] << "api.mixpanel.com"

    config.csp[:connect_src] << "api.mixpanel.com"

    csp[:script_src] << "api.mixpanel.com"

    csp[:connect_src] << "api.mixpanel.com"

  end



  config.csp[:script_src] << "code.jquery.com" if AppConfig.privacy.jquery_cdn?

  config.csp[:script_src] << "static.chartbeat.com" if AppConfig.privacy.chartbeat_uid.present?

  config.csp[:form_action] << "www.paypal.com" if AppConfig.settings.paypal_donations.enable?

  csp[:script_src] << "code.jquery.com" if AppConfig.privacy.jquery_cdn?

  csp[:script_src] << "static.chartbeat.com" if AppConfig.privacy.chartbeat_uid.present?

  csp[:form_action] << "www.paypal.com" if AppConfig.settings.paypal_donations.enable?



  config.csp[:report_only] = AppConfig.settings.csp.report_only?

  config.csp[:report_uri] = [AppConfig.settings.csp.report_uri] if AppConfig.settings.csp.report_uri.present?

  csp[:report_uri] = [AppConfig.settings.csp.report_uri] if AppConfig.settings.csp.report_uri.present?



  # Add frame-src but don't spam the log with DEPRECATION warnings.

  # We need frame-src to support older versions of Chrome, because secure_headers handles all Chrome browsers as

  # "modern" browser, and ignores the version of the browser. We can drop this once we support only Chrome

  # versions with child-src support.

  module SecureHeaders

    class ContentSecurityPolicy

      private



      def normalize_child_frame_src

        @config[:frame_src] = @config[:child_src]

      end

    end

  if AppConfig.settings.csp.report_only?

    config.csp_report_only = csp

  else

    config.csp = csp

  end

end