From 84f58b76e1b7e2e8f8a238b43b4806c4e87a0f49 Mon Sep 17 00:00:00 2001 From: Mariam A Date: Mon, 12 Sep 2022 14:00:11 -0400 Subject: [PATCH] LTI-179: Chance X-Frame-Opts to Content-Security-Policy (#113) --- config/application.rb | 5 --- .../initializers/content_security_policy.rb | 43 +++++++++++++++++++ 2 files changed, 43 insertions(+), 5 deletions(-) create mode 100644 config/initializers/content_security_policy.rb diff --git a/config/application.rb b/config/application.rb index d5d4b1e7..66931855 100755 --- a/config/application.rb +++ b/config/application.rb @@ -38,10 +38,5 @@ class Application < Rails::Application config.relative_url_root = "/#{ENV['RELATIVE_URL_ROOT'] || 'lti'}" config.assets.prefix = "#{config.relative_url_root}/assets" - - # Allow this to work in an iframe on another domain - config.action_dispatch.default_headers = { - 'X-Frame-Options' => 'ALLOWALL', - } end end diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb new file mode 100644 index 00000000..07a4e05f --- /dev/null +++ b/config/initializers/content_security_policy.rb @@ -0,0 +1,43 @@ +# frozen_string_literal: true + +# BigBlueButton open source conferencing system - http://www.bigbluebutton.org/. +# Copyright (c) 2018 BigBlueButton Inc. and by respective authors (see below). +# This program is free software; you can redistribute it and/or modify it under the +# terms of the GNU Lesser General Public License as published by the Free Software +# Foundation; either version 3.0 of the License, or (at your option) any later +# version. +# +# BigBlueButton is distributed in the hope that it will be useful, but WITHOUT ANY +# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. +# You should have received a copy of the GNU Lesser General Public License along +# with BigBlueButton; if not, see . + +# Be sure to restart your server when you modify this file. + +# Define an application-wide content security policy +# For further information see the following documentation +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + +Rails.application.config.content_security_policy do |policy| # # If you are using webpack-dev-server then specify webpack-dev-server host + # policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development? + + # policy.default_src :self, :https + # policy.font_src :self, :https, :data + # policy.img_src :self, :https, :data + # policy.object_src :none + # policy.script_src :self, :https + # policy.style_src :self, :https + policy.frame_ancestors('*') + + # Specify URI for violation reports + # policy.report_uri "/csp-violation-report-endpoint" +end + +# If you are using UJS then enable automatic nonce generation +Rails.application.config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) } + +# Report CSP violations to a specified URI +# For further information see the following documentation: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only +# Rails.application.config.content_security_policy_report_only = true