Главная Обзор Помощь
Вход
SMusatov
/
zammad
зеркало из https://github.com/zammad/zammad.git
1
0
Ответвить 0
Файлы
Дерево: 0faf0a0759
Ветки Метки
zammad
/
config
/
initializers
/
content_security_policy.rb

content_security_policy.rb 2.1 KB
История Исходник

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354 
  1. # Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/
    2. 

  2. 

  3. # Be sure to restart your server when you modify this file.
    4. 

  4. 

  5. # Define an application-wide content security policy
    6. 

  6. # For further information see the following documentation
    7. 

  7. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
    8. 

  8. 

  9. # Rails.application.config.content_security_policy do |policy|
    10. 

  10. #   policy.default_src :self, :https
    11. 

  11. #   policy.font_src    :self, :https, :data
    12. 

  12. #   policy.img_src     :self, :https, :data
    13. 

  13. #   policy.object_src  :none
    14. 

  14. #   policy.script_src  :self, :https
    15. 

  15. #   policy.style_src   :self, :https
    16. 

  16. #   # If you are using webpack-dev-server then specify webpack-dev-server host
    17. 

  17. #   policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development?
    18. 

  18. 

  19. #   # Specify URI for violation reports
    20. 

  20. #   # policy.report_uri "/csp-violation-report-endpoint"
    21. 

  21. # end
    22. 

  22. 

  23. Rails.application.config.content_security_policy do |policy|
    24. 

  24.   base_uri = proc do
    25. 

  25.     next if !Rails.env.production?
    26. 

  26.     next if !Setting.get('system_init_done')
    27. 

  27. 

  28.     http_type = Setting.get('http_type')
    29. 

  29.     fqdn      = Setting.get('fqdn')
    30. 

  30. 

  31.     "#{http_type}://#{fqdn}"
    32. 

  32.   end
    33. 

  33. 

  34.   policy.base_uri :self, base_uri
    35. 

  35. 

  36.   policy.default_src :self, :ws, :wss, 'https://log.zammad.com', 'https://images.zammad.com'
    37. 

  37.   policy.font_src    :self, :data
    38. 

  38.   policy.img_src     '*', :data
    39. 

  39.   policy.object_src  :none
    40. 

  40.   policy.script_src  :self, :unsafe_eval, :strict_dynamic
    41. 

  41.   policy.style_src   :self, :unsafe_inline
    42. 

  42.   policy.frame_src   'www.youtube.com', 'player.vimeo.com'
    43. 

  43. end
    44. 

  44. 

  45. # If you are using UJS then enable automatic nonce generation
    46. 

  46. Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }
    47. 

  47. 

  48. # Set the nonce only to specific directives
    49. 

  49. Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
    50. 

  50. 

  51. # Report CSP violations to a specified URI
    52. 

  52. # For further information see the following documentation:
    53. 

  53. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
    54. 

  54. # Rails.application.config.content_security_policy_report_only = true
    55.