Add config option for disabling whitelisting external services in CSP and option for disabling links preload in headers [SCI-10795] (#7677)

config/application.rb

@@ -53,6 +53,8 @@ module Scinote
 
     config.action_dispatch.cookies_serializer = :hybrid
 
+    config.action_view.preload_links_header = false if ENV['RAILS_NO_PRELOAD_LINKS_HEADER'] == 'true'
+
     # Max uploaded file size in MB
     config.x.file_max_size_mb = (ENV['FILE_MAX_SIZE_MB'] || 50).to_i
 
@@ -62,6 +64,8 @@ module Scinote
 
     config.x.custom_sanitizer_config = nil
 
+    config.x.no_external_csp_exceptions = ENV['SCINOTE_NO_EXT_CSP_EXCEPTIONS'] == 'true'
+
     # Logging
     config.log_formatter = proc do |severity, datetime, progname, msg|
       "[#{datetime}] #{severity}: #{msg}\n"

config/initializers/extends.rb

@@ -595,13 +595,22 @@ class Extends
     'FluicsLabelTemplate' => 'Fluics'
   }
 
-  EXTERNAL_SCRIPT_SERVICES = %w(
+  EXTERNAL_SCRIPT_SERVICES =
+    if Rails.application.config.x.no_external_csp_exceptions
+      []
+    else
+      %w(
         https://marvinjs.chemicalize.com/
         www.recaptcha.net/
         www.gstatic.com/recaptcha/
       )
+    end
 
-  EXTERNAL_CONNECT_SERVICES = %w(
+  EXTERNAL_CONNECT_SERVICES =
+    if Rails.application.config.x.no_external_csp_exceptions
+      %w(http://127.0.0.1:9100/)
+    else
+      %w(
         https://www.protocols.io/
         http://127.0.0.1:9100/
         newrelic.com
@@ -610,6 +619,7 @@ class Extends
         extras.scinote.net
         https://www.scinote.net
       )
+    end
 
   if Constants::ASSET_SYNC_URL && EXTERNAL_CONNECT_SERVICES.exclude?(Constants::ASSET_SYNC_URL)
     asset_sync_url = URI.parse(Constants::ASSET_SYNC_URL)