eoinkelly · September 24, 2020 22:12
diff --git a/2020-09-25-rails-template-csp.rb b/2020-09-25-rails-template-csp.rb
 # Be sure to restart your server when you modify this file.

 # Define an application-wide content security policy
 # For further information see the following documentation
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

 Rails.application.config.content_security_policy do |policy|
  # These directives define a quite strict policy by default. You may have to
  # loosen this policy as you add elements to the app. Some examples of common
  # additions are shown below.
  #
  policy.default_src :self
  policy.font_src    :self
  policy.img_src     :self
  policy.object_src  :none
  policy.script_src  :self
  policy.style_src   :self

  # Allow inline-styles
  # ###################
  #
  # * The use of both kind of quotes is required here because the value as it
  #   appears in the CSP header must be surrounded by single quotes.
  # * Try to avoid enabling this if you can
  # * IMPORTANT: you can't just uncomment these lines to make this work - you
  #   need to merge the example into your existing call to the appropriate
  #   `*_src` method.
  #
  # policy.style_src  :self, "'unsafe-inline'"

  # Use a separate host for assets e.g. CDN
  # #######################################
  #
  # * This example adds the external host to the `default_src` policy meaning
  #   that any kind of asset can be loaded from it. You should be more
  #   targeted if you can e.g. if the external host is only going to serve
  #   images then use `policy.img_src` instead.
  # * IMPORTANT: you can't just uncomment these lines to make this work - you
  #   need to merge the example into your existing call to the appropriate
  #   `*_src` method.
  #
  # asset_host = if Rails.env.development? || Rails.env.test?
  #                "http://#{Rails.application.secrets.asset_host}"
  #              else
  #                "https://#{Rails.application.secrets.asset_host}"
  #              end
  # policy.default_src :self, asset_host

  # Use an S3 bucket for assets
  # ###########################
  #
  # * This example adds the S3 bucket to the `default_src` policy meaning that
  #   any kind of asset can be loaded from it. You should be more targetted if
  #   you can e.g. if the bucket is only going to serve images then use
  #   `policy.img_src` instead.
  # * IMPORTANT: you can't just uncomment these lines to make this work - you
  #   need to merge the example into your existing call to the appropriate
  #   `*_src` method.
  #
  # s3_bucket_url = "https://my-app-assets-#{Rails.env.dasherize}.s3.amazonaws.com"
  # policy.default_src :self, s3_bucket_url

  # Use Google fonts
  # ################
  #
  # * Instructions: https://content-security-policy.com/examples/google-fonts/
  # * IMPORTANT: you can't just uncomment these lines to make this work - you
  #   need to merge the example into your existing call to the appropriate
  #   `*_src` method.
  #
  # policy.font_src :self, "https://fonts.gstatic.com"
  # policy.style_src :self, "https://fonts.googleapis.com"

  # Use Google Tag Manager or Google Analytics
  # ##########################################
  #
  # * Instructions: https://developers.google.com/tag-manager/web/csp
  # * You can use the nonce version. Rails generates the nonce which you can use as follows:
  #
  #     <%= javascript_tag nonce: true do -%>
  #         <!-- Google tag manager or analytics snippet goes here
  #     <% end -%>
  #
  # https://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html#method-i-javascript_tag
  # for details.

  # Allow webpack-dev-server to use websockets in development
  # #########################################################
  #
  # * We want to minimize differences in the CSP header between environments so
  #   that we can find and fix CSP issues in development but enabling the
  #   webpack-dev-server to communicate over websockets is an exception.
  #
  policy.connect_src :self, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?

  # Enable CSP reporting
  # ####################
  #
  # You should enable a reporting URL so you can find and fix any issues your
  # users encounter caused by CSP in production.
  #
  # If you app is using https://sentry.io then you can use the URL they provide
  # for your app to report CSP issues - see
  # https://docs.sentry.io/error-reporting/security-policy-reporting/ for
  # details
  #
  policy.report_uri ENV.fetch("SENTRY_CSP_HEADER_REPORT_ENDPOINT")
 end

 # ###############
 # Configure nonce
 # ###############

 # If you are using UJS then enable automatic nonce generation
 Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }

 # Set the nonce only to specific directives
 # Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

 # ################################
 # Configure reporting vs enforcing
 # ################################
 #
 # Report CSP violations to a specified URI. For further information see the
 # following documentation:
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
 #
 # We default to turning on enforcement in all environments so that we can catch
 # issues early in development before they hit staging or production.
 #
 Rails.application.config.content_security_policy_report_only = false
	# Be sure to restart your server when you modify this file.

	# Define an application-wide content security policy
	# For further information see the following documentation
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

	Rails.application.config.content_security_policy do \|policy\|
	# These directives define a quite strict policy by default. You may have to
	# loosen this policy as you add elements to the app. Some examples of common
	# additions are shown below.
	#
	policy.default_src :self
	policy.font_src :self
	policy.img_src :self
	policy.object_src :none
	policy.script_src :self
	policy.style_src :self

	# Allow inline-styles
	# ###################
	#
	# * The use of both kind of quotes is required here because the value as it
	# appears in the CSP header must be surrounded by single quotes.
	# * Try to avoid enabling this if you can
	# * IMPORTANT: you can't just uncomment these lines to make this work - you
	# need to merge the example into your existing call to the appropriate
	# `*_src` method.
	#
	# policy.style_src :self, "'unsafe-inline'"

	# Use a separate host for assets e.g. CDN
	# #######################################
	#
	# * This example adds the external host to the `default_src` policy meaning
	# that any kind of asset can be loaded from it. You should be more
	# targeted if you can e.g. if the external host is only going to serve
	# images then use `policy.img_src` instead.
	# * IMPORTANT: you can't just uncomment these lines to make this work - you
	# need to merge the example into your existing call to the appropriate
	# `*_src` method.
	#
	# asset_host = if Rails.env.development? \|\| Rails.env.test?
	# "http://#{Rails.application.secrets.asset_host}"
	# else
	# "https://#{Rails.application.secrets.asset_host}"
	# end
	# policy.default_src :self, asset_host

	# Use an S3 bucket for assets
	# ###########################
	#
	# * This example adds the S3 bucket to the `default_src` policy meaning that
	# any kind of asset can be loaded from it. You should be more targetted if
	# you can e.g. if the bucket is only going to serve images then use
	# `policy.img_src` instead.
	# * IMPORTANT: you can't just uncomment these lines to make this work - you
	# need to merge the example into your existing call to the appropriate
	# `*_src` method.
	#
	# s3_bucket_url = "https://my-app-assets-#{Rails.env.dasherize}.s3.amazonaws.com"
	# policy.default_src :self, s3_bucket_url

	# Use Google fonts
	# ################
	#
	# * Instructions: https://content-security-policy.com/examples/google-fonts/
	# * IMPORTANT: you can't just uncomment these lines to make this work - you
	# need to merge the example into your existing call to the appropriate
	# `*_src` method.
	#
	# policy.font_src :self, "https://fonts.gstatic.com"
	# policy.style_src :self, "https://fonts.googleapis.com"

	# Use Google Tag Manager or Google Analytics
	# ##########################################
	#
	# * Instructions: https://developers.google.com/tag-manager/web/csp
	# * You can use the nonce version. Rails generates the nonce which you can use as follows:
	#
	# <%= javascript_tag nonce: true do -%>
	# <!-- Google tag manager or analytics snippet goes here
	# <% end -%>
	#
	# https://api.rubyonrails.org/classes/ActionView/Helpers/JavaScriptHelper.html#method-i-javascript_tag
	# for details.

	# Allow webpack-dev-server to use websockets in development
	# #########################################################
	#
	# * We want to minimize differences in the CSP header between environments so
	# that we can find and fix CSP issues in development but enabling the
	# webpack-dev-server to communicate over websockets is an exception.
	#
	policy.connect_src :self, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?

	# Enable CSP reporting
	# ####################
	#
	# You should enable a reporting URL so you can find and fix any issues your
	# users encounter caused by CSP in production.
	#
	# If you app is using https://sentry.io then you can use the URL they provide
	# for your app to report CSP issues - see
	# https://docs.sentry.io/error-reporting/security-policy-reporting/ for
	# details
	#
	policy.report_uri ENV.fetch("SENTRY_CSP_HEADER_REPORT_ENDPOINT")
	end

	# ###############
	# Configure nonce
	# ###############

	# If you are using UJS then enable automatic nonce generation
	Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }

	# Set the nonce only to specific directives
	# Rails.application.config.content_security_policy_nonce_directives = %w(script-src)

	# ################################
	# Configure reporting vs enforcing
	# ################################
	#
	# Report CSP violations to a specified URI. For further information see the
	# following documentation:
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
	#
	# We default to turning on enforcement in all environments so that we can catch
	# issues early in development before they hit staging or production.
	#
	Rails.application.config.content_security_policy_report_only = false