From dc16ff28f8e07c2725fbf4746b29efbe86ad773d Mon Sep 17 00:00:00 2001 From: John Topley Date: Tue, 4 Apr 2023 11:09:29 +0100 Subject: [PATCH] Parameterised Content Security Policy with new configuration --- webapp/app.rb | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/webapp/app.rb b/webapp/app.rb index a3e813f..6f117be 100644 --- a/webapp/app.rb +++ b/webapp/app.rb @@ -57,8 +57,11 @@ def website_link(url) end before do + image_sources = CONFIG.content_security_policy_image_sources + script_sources = CONFIG.content_security_policy_script_sources + style_sources = CONFIG.content_security_policy_style_sources headers 'Cache-Control' => 'no-cache' - headers 'Content-Security-Policy' => "default-src 'self'; img-src 'self' data: https://avatars.githubusercontent.com https://cdn.datatables.net; https://githubdev-explorer.integrateddataservice.gov.uk; script-src 'unsafe-eval' 'self' https://ajax.googleapis.com https://cdn.datatables.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdn.datatables.net;" + headers 'Content-Security-Policy' => "default-src 'self'; img-src #{image_sources}; script-src #{script_sources}; style-src #{style_sources};" headers 'Content-Type' => 'text/html; charset=utf-8' headers 'Permissions-Policy' => 'fullscreen=(self)' headers 'Referrer-Policy' => 'strict-origin-when-cross-origin'