scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-03-05 20:23:16 +08:00
Code Issues Projects Releases Packages Wiki Activity

CSP FIX: MarvinJS, AWS and New Relic [SCI-8500] (#5449)

Browse source 
* Use the actual value of the nonce for New relic [SCI-8500]

* Whitelist MarvinJs [SCI-8500]

* Whitelist used AWS bucket [SCI-8500]
This commit is contained in:
Soufiane 2023-05-22 11:43:19 +02:00 committed by GitHub
parent d28dc059df
commit 8593132a35
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/views/layouts/application.html.erb
View file

@ -14,7 +14,7 @@
<%= stylesheet_link_tag 'application', media: 'all' %>
<% if ::NewRelic::Agent.instance.started? %>
<%= ::NewRelic::Agent.browser_timing_header("nonce") %>
<%= ::NewRelic::Agent.browser_timing_header(controller.request.content_security_policy_nonce) %>
<% end %>
<%= javascript_include_tag 'jquery_bundle' %>
<%= javascript_include_tag 'application' %>

5
config/initializers/active_storage.rb
View file

@ -16,11 +16,6 @@ Rails.application.config.active_storage.variable_content_types << 'image/svg+xml
Rails.application.config.active_storage.variant_processor = :vips if ENV['ACTIVESTORAGE_ENABLE_VIPS'] == 'true'
if Rails.application.config.active_storage.service == :amazon
Rails.application.config.active_storage.bucket_url =
"https://#{ENV.fetch('S3_BUCKET', nil)}.s3.#{ENV('S3_REGION', nil) || ENV.fetch('AWS_REGION', nil)}.amazonaws.com/"
end
ActiveStorage::Downloader.class_eval do
def open(key, checksum:, name: 'ActiveStorage-', tmpdir: nil)
open_tempfile(name, tmpdir) do |file|

1
config/initializers/extends.rb
View file

@ -554,6 +554,7 @@ class Extends
EXTERNAL_SERVICES = %w(
https://www.protocols.io/
http://127.0.0.1:9100/available
https://marvinjs.chemicalize.com/
)
EXTERNAL_SERVICES += [s3] if s3
end

10
config/initializers/security_policy.rb
View file

@ -28,3 +28,13 @@ Rails.application.config.content_security_policy_nonce_directives = %w(script-sr
# For further information see the following documentation:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
# Rails.application.config.content_security_policy_report_only = true
# Whitelist AWS buckets
Rails.application.configure do
config.after_initialize do
return unless ActiveStorage::Blob.service.name == :amazon
Extends::EXTERNAL_SERVICES += [ActiveStorage::Blob.service.bucket.url]
Rails.application.config.content_security_policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
end
end