From 297cf625bf8f6e302f458d9209436f91f913e8e4 Mon Sep 17 00:00:00 2001 From: Chris <76159444+hunchr@users.noreply.github.com> Date: Mon, 4 Nov 2024 10:17:52 +0100 Subject: [PATCH] Add content security policy --- app/views/layouts/hotsheet/application.html.erb | 3 ++- .../hotsheet/content_security_policy.rb | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 1 deletion(-) create mode 100644 config/initializers/hotsheet/content_security_policy.rb diff --git a/app/views/layouts/hotsheet/application.html.erb b/app/views/layouts/hotsheet/application.html.erb index 5435cb0..06be1c4 100644 --- a/app/views/layouts/hotsheet/application.html.erb +++ b/app/views/layouts/hotsheet/application.html.erb @@ -6,7 +6,8 @@ <%= csp_meta_tag %> <%= yield :head %> <%= stylesheet_link_tag "hotsheet/application", media: :all %> - <%= javascript_include_tag "hotsheet/application", "data-turbolinks-track": "reload", type: "module" %> + <%= javascript_include_tag "hotsheet/application", "data-turbolinks-track": :reload, + type: :module, nonce: content_security_policy_nonce, defer: true %> <%= render "layouts/hotsheet/sidebar" %> diff --git a/config/initializers/hotsheet/content_security_policy.rb b/config/initializers/hotsheet/content_security_policy.rb new file mode 100644 index 0000000..faf1f40 --- /dev/null +++ b/config/initializers/hotsheet/content_security_policy.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +Rails.application.configure do + config.content_security_policy do |csp| + csp.default_src :none + csp.connect_src :self + csp.img_src :self + csp.script_src :strict_dynamic + csp.style_src :self, :unsafe_inline + end + + config.content_security_policy_nonce_directives = %w[script-src] + config.content_security_policy_nonce_generator = ->(_) { SecureRandom.base64 18 } +end