Add config option for disabling whitelisting external services in CSP and option for disabling links preload in headers [SCI-10795] (#7677)

config/application.rb

@@ -53,6 +53,8 @@ module Scinote
 
     config.action_dispatch.cookies_serializer = :hybrid
 
+    config.action_view.preload_links_header = false if ENV['RAILS_NO_PRELOAD_LINKS_HEADER'] == 'true'
+
     # Max uploaded file size in MB
     config.x.file_max_size_mb = (ENV['FILE_MAX_SIZE_MB'] || 50).to_i
 
@@ -62,6 +64,8 @@ module Scinote
 
     config.x.custom_sanitizer_config = nil
 
+    config.x.no_external_csp_exceptions = ENV['SCINOTE_NO_EXT_CSP_EXCEPTIONS'] == 'true'
+
     # Logging
     config.log_formatter = proc do |severity, datetime, progname, msg|
       "[#{datetime}] #{severity}: #{msg}\n"

config/initializers/extends.rb

@@ -595,21 +595,31 @@ class Extends
     'FluicsLabelTemplate' => 'Fluics'
   }
 
-  EXTERNAL_SCRIPT_SERVICES = %w(
-    https://marvinjs.chemicalize.com/
-    www.recaptcha.net/
-    www.gstatic.com/recaptcha/
-  )
+  EXTERNAL_SCRIPT_SERVICES =
+    if Rails.application.config.x.no_external_csp_exceptions
+      []
+    else
+      %w(
+        https://marvinjs.chemicalize.com/
+        www.recaptcha.net/
+        www.gstatic.com/recaptcha/
+      )
+    end
 
-  EXTERNAL_CONNECT_SERVICES = %w(
-    https://www.protocols.io/
-    http://127.0.0.1:9100/
-    newrelic.com
-    *.newrelic.com
-    *.nr-data.net
-    extras.scinote.net
-    https://www.scinote.net
-  )
+  EXTERNAL_CONNECT_SERVICES =
+    if Rails.application.config.x.no_external_csp_exceptions
+      %w(http://127.0.0.1:9100/)
+    else
+      %w(
+        https://www.protocols.io/
+        http://127.0.0.1:9100/
+        newrelic.com
+        *.newrelic.com
+        *.nr-data.net
+        extras.scinote.net
+        https://www.scinote.net
+      )
+    end
 
   if Constants::ASSET_SYNC_URL && EXTERNAL_CONNECT_SERVICES.exclude?(Constants::ASSET_SYNC_URL)
     asset_sync_url = URI.parse(Constants::ASSET_SYNC_URL)