Split external services for CSP for script_src and connect_src [sci_10572]

2024-09-20 06:35:56 +08:00 · 2024-04-05 11:12:35 +01:00 · 2024-04-05 11:12:35 +01:00 · 9ac0dca68a
parent 6e95ba13f9
commit 9ac0dca68a
2 changed files with 13 additions and 10 deletions
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@ -11,9 +11,9 @@ ActiveSupport::Reloader.to_prepare do
    policy.font_src    :self, :https, :data
    policy.img_src     :self, :https, :data, :blob
    policy.object_src  :none
-    policy.script_src  :self, :unsafe_eval, *Extends::EXTERNAL_SERVICES
+    policy.script_src  :self, :unsafe_eval, *Extends::EXTERNAL_SCRIPT_SERVICES
    policy.style_src   :self, :https, :unsafe_inline, :data
-    policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
+    policy.connect_src :self, :data, *Extends::EXTERNAL_CONNECT_SERVICES

    # Specify URI for violation reports
    # policy.report_uri "/csp-violation-report-endpoint"
@ -44,8 +44,8 @@ Rails.application.config.content_security_policy_nonce_directives = %w(script-sr
 Rails.application.configure do
  config.after_initialize do
    if ActiveStorage::Blob.service.name == :amazon
-      Extends::EXTERNAL_SERVICES += [ActiveStorage::Blob.service.bucket.url]
-      Rails.application.config.content_security_policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
+      Extends::EXTERNAL_CONNECT_SERVICES += [ActiveStorage::Blob.service.bucket.url]
+      Rails.application.config.content_security_policy.connect_src :self, :data, *Extends::EXTERNAL_CONNECT_SERVICES
    end
  end
 end
--- a/config/initializers/extends.rb
+++ b/config/initializers/extends.rb
@ -589,22 +589,25 @@ class Extends
    'FluicsLabelTemplate' => 'Fluics'
  }

-  EXTERNAL_SERVICES = %w(
+  EXTERNAL_SCRIPT_SERVICES = %w(
+    https://marvinjs.chemicalize.com/
+    www.recaptcha.net/
+    www.gstatic.com/recaptcha/
+  )
+
+  EXTERNAL_CONNECT_SERVICES = %w(
    https://www.protocols.io/
    http://127.0.0.1:9100/
-    https://marvinjs.chemicalize.com/
    newrelic.com
    *.newrelic.com
    *.nr-data.net
-    www.recaptcha.net/
-    www.gstatic.com/recaptcha/
    extras.scinote.net
    https://www.scinote.net
  )

-  if Constants::ASSET_SYNC_URL && EXTERNAL_SERVICES.exclude?(Constants::ASSET_SYNC_URL)
+  if Constants::ASSET_SYNC_URL && EXTERNAL_CONNECT_SERVICES.exclude?(Constants::ASSET_SYNC_URL)
    asset_sync_url = URI.parse(Constants::ASSET_SYNC_URL)
-    EXTERNAL_SERVICES << "#{asset_sync_url.scheme}://#{asset_sync_url.host}:#{asset_sync_url.port}"
+    EXTERNAL_CONNECT_SERVICES << "#{asset_sync_url.scheme}://#{asset_sync_url.host}:#{asset_sync_url.port}"
  end

  COLORED_BACKGROUND_ACTIONS = %w(