Update Content Security Policy headers

Adding the default-src values to policies so they work as usual on tests. Or other environments without explicit CSP config.

Update Content Security Policy headers
Adding the default-src values to policies so they work as usual on tests. Or other environments without explicit CSP config.
3390ca52 · Axel García · 7029aa51 · 3390ca52 · 3390ca52 · 3390ca52
Commit 3390ca52 authored Oct 08, 2021 by Axel García
3 changed files
--- a/app/controllers/registrations_controller.rb
+++ b/app/controllers/registrations_controller.rb
@@ -18,10 +18,12 @@ class RegistrationsController < Devise::RegistrationsController
  content_security_policy do |policy|
    next if policy.directives.blank?

-    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    default_script_src = policy.directives['script-src'] || policy.directives['default-src']
+    script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
    policy.script_src(*script_src_values)

-    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+    connect_src_values = Array.wrap(default_connect_src) | ["'self'", 'https://cdn.cookielaw.org']
    policy.connect_src(*connect_src_values)
  end


--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -58,10 +58,12 @@ class SessionsController < Devise::SessionsController
  content_security_policy do |policy|
    next if policy.directives.blank?

-    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    default_script_src = policy.directives['script-src'] || policy.directives['default-src']
+    script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
    policy.script_src(*script_src_values)

-    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+    connect_src_values = Array.wrap(default_connect_src) | ["'self'", 'https://cdn.cookielaw.org']
    policy.connect_src(*connect_src_values)
  end


--- a/ee/app/controllers/trial_registrations_controller.rb
+++ b/ee/app/controllers/trial_registrations_controller.rb
@@ -15,10 +15,12 @@ class TrialRegistrationsController < RegistrationsController
  content_security_policy do |policy|
    next if policy.directives.blank?

-    script_src_values = Array.wrap(policy.directives['script-src']) | ['https://cdn.cookielaw.org https://*.onetrust.com']
+    default_script_src = policy.directives['script-src'] || policy.directives['default-src']
+    script_src_values = Array.wrap(default_script_src) | ["'self'", "'unsafe-eval'", 'https://cdn.cookielaw.org https://*.onetrust.com']
    policy.script_src(*script_src_values)

-    connect_src_values = Array.wrap(policy.directives['connect-src']) | ['https://cdn.cookielaw.org']
+    default_connect_src = policy.directives['connect-src'] || policy.directives['default-src']
+    connect_src_values = Array.wrap(default_connect_src) | ["'self'", 'https://cdn.cookielaw.org']
    policy.connect_src(*connect_src_values)
  end