Add content security policy

havenweb · Dec 2, 2024 · 6656008 · 6656008
1 parent d9b3f75
commit 6656008
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 9 deletions.
diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
@@ -3,6 +3,7 @@ class PostsController < ApplicationController
   IMG_REGEX = /!\[.*\]\(.*\)/
   before_action :authenticate_user!, except: :rss
   before_action :verify_publisher, except: [:index, :show, :rss]
+#  content_security_policy false, only: [:new, :edit]
 
   def index
     @posts = Post.order(datetime: :desc).page(params[:page])

diff --git a/app/views/posts/_form.html.erb b/app/views/posts/_form.html.erb
@@ -2,7 +2,7 @@
 <%= form_with model: @post, local: true do |form| %>
   <%= form.date_field :date, :style => 'display:inline;', :value => @post.datetime.strftime("%Y-%m-%d"), type: (@show_date ? :date : :hidden) %>
   <%= form.time_field :time, :style => 'display:inline;', :value => @post.datetime.strftime("%H:%M"), type: (@show_date ? :time : :hidden) %>
-  <%= form.text_area :content, :rows => 10, :dir => "auto", :style => 'display:block;width:100%;', :oninput => "doRender();", :value => @post.content %>
+  <%= form.text_area :content, :rows => 10, :dir => "auto", :style => 'display:block;width:100%;', :oninput => "doRender()", :value => @post.content %>
   <%= form.file_field :pic, :accept => "image/*,.mp4,.mp3", :style => "display:inline;" %>
   <%= form.submit :value => "Upload Selected Image", data: {disable_with: "Upload Selected Image"}, :style => "display:inline;" %>
   <%= form.submit :value => "Save Post", :style => "display:block;" %>
@@ -15,7 +15,8 @@
 <div id="display" dir="auto">
 </div>
 
-<script type="text/javascript">
+<%= javascript_tag nonce: true, type: 'application/javascript' do %>
+
 function doRender() {
   var converter = new showdown.Converter();
   converter.setFlavor('github');
@@ -24,6 +25,7 @@ function doRender() {
   document.getElementById("display").innerHTML = html;
 }
 doRender();
+
 function setTime() {
   var today = new Date();
   var dd = String(today.getDate()).padStart(2, '0');
@@ -39,4 +41,4 @@ function setTime() {
 if (document.getElementById("post_content").value.trim()=="") {
   setTime();
 }
-</script>
+<% end %>
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -4,25 +4,25 @@
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 
-# Rails.application.config.content_security_policy do |policy|
+ Rails.application.config.content_security_policy do |policy|
 #   policy.default_src :self, :https
 #   policy.font_src    :self, :https, :data
 #   policy.img_src     :self, :https, :data
-#   policy.object_src  :none
-#   policy.script_src  :self, :https
+   policy.object_src  :none
+   policy.script_src  :self, "'unsafe-hashes'", "'sha256-SVKFaZ87p3OYyL4QpdWTjBEy7aRLeCA7ImdqNG5YJe0='" # for "doRender()" script in app/views/posts/_form.html.erb
 #   policy.style_src   :self, :https
 #   # If you are using webpack-dev-server then specify webpack-dev-server host
 #   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
 
 #   # Specify URI for violation reports
 #   # policy.report_uri "/csp-violation-report-endpoint"
-# end
+ end
 
 # If you are using UJS then enable automatic nonce generation
-# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+ Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
 
 # Set the nonce only to specific directives
-# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
+ Rails.application.config.content_security_policy_nonce_directives = %w(script-src)
 
 # Report CSP violations to a specified URI
 # For further information see the following documentation:

diff --git a/test/system/content_security_policy_test.rb b/test/system/content_security_policy_test.rb
@@ -0,0 +1,25 @@
+require "application_system_test_case"
+require_relative 'systemtest_helpers.rb'
+
+class ContentSecurityPolicyTest < ApplicationSystemTestCase
+  test_users = {
+    washington: {email: "[email protected]", pass: "georgepass"}, # admin
+    jackson: {email: "[email protected]", pass: "jacksonpass"},      # publisher
+    lincoln: {email: "[email protected]", pass: "lincolnpass"}     # subscriber
+  }
+
+  ## This test is also ensuring that the content security policy doesn't prevent
+  ## the Javascript code which generates live previews from entered markdown
+  test "editing a post generates a markdown preview" do
+    log_in_with test_users[:jackson]
+    click_on "New Post Button"
+    m = "#{rand} Post Title"
+    fill_in "post_content", with: "# #{m}"
+    # Javascript preview creates <h1> tag with contents of `m`
+    assert_selector "h1", text: m
+    # finish and log out
+    click_on "Save Post"
+    click_on "Logout"
+  end
+
+end