Unverified Commit ec8a49b3 authored by Benjamin Neff's avatar Benjamin Neff Committed by Dennis Schubert

Add settings for CSP to diaspora.yml

closes #7128
parent caef6709
......@@ -42,6 +42,7 @@ Note: Although this is a minor release, the configuration file changed because t
* Don't federate to pods that have been offline for an extended period of time [#7120](https://github.com/diaspora/diaspora/pull/7120)
* Add In-Reply-To and References headers to notification mails [#7122](https://github.com/diaspora/diaspora/pull/7122)
* Directly link to a comment in commented notification mails [#7124](https://github.com/diaspora/diaspora/pull/7124)
* Add optional `Content-Security-Policy` header [#7128](https://github.com/diaspora/diaspora/pull/7128)
# 0.6.0.1
......
......@@ -148,6 +148,9 @@ defaults:
default_metas:
title: 'diaspora* social network'
description: 'diaspora* is the online social world where you are in control.'
csp:
report_only: true
report_uri:
services:
facebook:
enable: false
......
......@@ -551,6 +551,26 @@ configuration: ## Section
#title: 'diaspora* social network'
#description: 'diaspora* is the online social world where you are in control.'
## CSP (Content Security Policy) header
## CSP allows limiting origins from where resources are allowed to be loaded. This
## improves security, since it helps to detect and mitigate cross-site scripting
## and data injection attacks. The default policy of diaspora* allows all third
## party domains from services that are included in diaspora*, like OEmbed
## scripts, so you can safely activate it by setting `report_only` to false. If
## you customized diaspora* (edited templates or added own JS), additional work
## may be required. You can test the policy with the "report_uri". Our default CSP
## does not work with Google analytics or Piwik, because they inject JS code that
## is blocked by CSP.
csp:
## Report-Only header (default=true)
## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
## this to false, the "Content-Security-Policy" header is added instead.
#report_only: false
## CSP report URI (default=)
## You can set an URI here, where the user agent reports violations as JSON document via a POST request.
#report_uri: "/csp_violation_reports"
## Posting from Diaspora to external services (all are disabled by default).
services: ## Section
......
......@@ -40,6 +40,9 @@ SecureHeaders::Configuration.default do |config|
config.csp[:script_src] << "static.chartbeat.com" if AppConfig.privacy.chartbeat_uid.present?
config.csp[:form_action] << "www.paypal.com" if AppConfig.settings.paypal_donations.enable?
config.csp[:report_only] = AppConfig.settings.csp.report_only?
config.csp[:report_uri] = [AppConfig.settings.csp.report_uri] if AppConfig.settings.csp.report_uri.present?
# Add frame-src but don't spam the log with DEPRECATION warnings.
# We need frame-src to support older versions of Chrome, because secure_headers handles all Chrome browsers as
# "modern" browser, and ignores the version of the browser. We can drop this once we support only Chrome
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment