Fix CSP [SCI-8500] (#5451)

* Move aws logic to security policy initializer [SCI-8500] * Use if block in initializer [SCI-8500]
2025-02-27 17:30:32 +08:00 · 2023-05-22 13:04:13 +02:00 · 2023-05-22 13:04:13 +02:00 · 9b675ba2d8
commit 9b675ba2d8
parent cbecd56122
2 changed files with 4 additions and 7 deletions
--- a/config/initializers/extends.rb
+++ b/config/initializers/extends.rb
@ -549,14 +549,11 @@ class Extends
    'FluicsLabelTemplate' => 'Fluics'
  }

-  s3 = Rails.application.config.active_storage.bucket_url
-
  EXTERNAL_SERVICES = %w(
    https://www.protocols.io/
    http://127.0.0.1:9100/available
    https://marvinjs.chemicalize.com/
  )
-  EXTERNAL_SERVICES += [s3] if s3
 end

 # rubocop:enable Style/MutableConstant
--- a/config/initializers/security_policy.rb
+++ b/config/initializers/security_policy.rb
@ -32,9 +32,9 @@ Rails.application.config.content_security_policy_nonce_directives = %w(script-sr
 # Whitelist AWS buckets
 Rails.application.configure do
  config.after_initialize do
-    return unless ActiveStorage::Blob.service.name == :amazon
-
-    Extends::EXTERNAL_SERVICES += [ActiveStorage::Blob.service.bucket.url]
-    Rails.application.config.content_security_policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
+    if ActiveStorage::Blob.service.name == :amazon
+      Extends::EXTERNAL_SERVICES += [ActiveStorage::Blob.service.bucket.url]
+      Rails.application.config.content_security_policy.connect_src :self, :data, *Extends::EXTERNAL_SERVICES
+    end
  end
 end