mirror of
https://github.com/tildeverse/lobsters
synced 2024-06-25 17:57:04 +00:00
parent
2d1887cb35
commit
32a25165fc
9
app/controllers/csp_controller.rb
Normal file
9
app/controllers/csp_controller.rb
Normal file
|
@ -0,0 +1,9 @@
|
|||
class CspController < ApplicationController
|
||||
skip_before_action :verify_authenticity_token
|
||||
skip_before_action :authenticate_user
|
||||
|
||||
def violation_report
|
||||
Rails.logger.info(request.body.read)
|
||||
head :ok
|
||||
end
|
||||
end
|
|
@ -4,17 +4,16 @@
|
|||
# For further information see the following documentation
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
|
||||
|
||||
# Rails.application.config.content_security_policy do |policy|
|
||||
# policy.default_src :self, :https
|
||||
# policy.font_src :self, :https, :data
|
||||
# policy.img_src :self, :https, :data
|
||||
# policy.object_src :none
|
||||
# policy.script_src :self, :https
|
||||
# policy.style_src :self, :https
|
||||
Rails.application.config.content_security_policy do |policy|
|
||||
policy.default_src :none
|
||||
policy.img_src '*', :data
|
||||
policy.script_src :self, :unsafe_inline
|
||||
policy.style_src :self, :unsafe_inline
|
||||
policy.form_action :self
|
||||
|
||||
# # Specify URI for violation reports
|
||||
# # policy.report_uri "/csp-violation-report-endpoint"
|
||||
# end
|
||||
# Specify URI for violation reports
|
||||
policy.report_uri "/csp-violation-report"
|
||||
end
|
||||
|
||||
# If you are using UJS then enable automatic nonce generation
|
||||
# Rails.application.config.content_security_policy_nonce_generator =
|
||||
|
@ -23,4 +22,4 @@
|
|||
# Report CSP violations to a specified URI
|
||||
# For further information see the following documentation:
|
||||
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
|
||||
# Rails.application.config.content_security_policy_report_only = true
|
||||
Rails.application.config.content_security_policy_report_only = true
|
||||
|
|
|
@ -197,4 +197,6 @@ Rails.application.routes.draw do
|
|||
get "/privacy" => "home#privacy"
|
||||
get "/about" => "home#about"
|
||||
get "/chat" => "home#chat"
|
||||
|
||||
post '/csp-violation-report' => 'csp#violation_report'
|
||||
end
|
||||
|
|
26
spec/controllers/csp_controller_spec.rb
Normal file
26
spec/controllers/csp_controller_spec.rb
Normal file
|
@ -0,0 +1,26 @@
|
|||
require 'rails_helper'
|
||||
|
||||
describe CspController do
|
||||
describe '/csp-violation-report' do
|
||||
it 'records the violation' do
|
||||
body = {
|
||||
"csp-report" => {
|
||||
"blocked-uri" => "data",
|
||||
"document-uri" => "http://localhost:3000/s/izi825/hckr_news_hacker_news_sorted_by_time",
|
||||
"original-policy" => [
|
||||
"default-src 'none'",
|
||||
"img-src *",
|
||||
"script-src 'self' 'unsafe-inline'",
|
||||
"style-src 'self' 'unsafe-inline'",
|
||||
"form-action 'self'",
|
||||
"report-uri http://localhost:3000/csp-violation-report",
|
||||
].join('; '),
|
||||
"referrer" => "http://localhost:3000/",
|
||||
"violated-directive" => "img-src",
|
||||
},
|
||||
}
|
||||
post :violation_report, body: body.to_json, format: :json
|
||||
expect(response).to have_http_status(:ok)
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue
Block a user