From 172780dcd35327f29018cfcbbde57501d55ff01a Mon Sep 17 00:00:00 2001
From: Mo Bitar <me@bitar.io>
Date: Tue, 8 Aug 2017 10:22:38 -0500
Subject: [PATCH] Security headers, fix offline saving issue

---
 Gemfile                                       |  2 ++
 Gemfile.lock                                  |  4 +++
 .../javascripts/app/services/authManager.js   |  6 ++---
 config/application.rb                         | 25 +++++++++++++++++++
 config/environments/production.rb             |  2 ++
 5 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/Gemfile b/Gemfile
index c45dca6b3..753576444 100644
--- a/Gemfile
+++ b/Gemfile
@@ -7,6 +7,8 @@ gem 'sass'
 
 gem "non-stupid-digest-assets"
 
+gem 'secure_headers'
+
 gem 'uglifier'
 
 gem 'rack-cors', :require => 'rack/cors'
diff --git a/Gemfile.lock b/Gemfile.lock
index 793fa2e02..7c79bb6c2 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -141,6 +141,8 @@ GEM
     sdoc (0.4.2)
       json (~> 1.7, >= 1.7.7)
       rdoc (~> 4.0)
+    secure_headers (3.6.7)
+      useragent
     sidekiq (4.2.7)
       concurrent-ruby (~> 1.0)
       connection_pool (~> 2.2, >= 2.2.0)
@@ -165,6 +167,7 @@ GEM
       thread_safe (~> 0.1)
     uglifier (3.0.3)
       execjs (>= 0.3.0, < 3)
+    useragent (0.16.8)
     web-console (2.3.0)
       activemodel (>= 4.0)
       binding_of_caller (>= 0.7.2)
@@ -196,6 +199,7 @@ DEPENDENCIES
   responders (~> 2.0)
   sass
   sdoc (~> 0.4.0)
+  secure_headers
   spring
   uglifier
   web-console (~> 2.0)
diff --git a/app/assets/javascripts/app/services/authManager.js b/app/assets/javascripts/app/services/authManager.js
index d2fa26802..3cd0eecff 100644
--- a/app/assets/javascripts/app/services/authManager.js
+++ b/app/assets/javascripts/app/services/authManager.js
@@ -53,9 +53,9 @@ angular.module('app.frontend')
       }
 
       this.protocolVersion = function() {
-        var version = this.getAuthParams().version;
-        if(version) {
-          return version;
+        var authParams = this.getAuthParams();
+        if(authParams && authParams.version) {
+          return authParams.version;
         }
 
         var keys = this.keys();
diff --git a/config/application.rb b/config/application.rb
index 4d2728a6e..90f0f9d2d 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -39,6 +39,31 @@ module Neeto
       end
     end
 
+    SecureHeaders::Configuration.default do |config|
+      config.csp = {
+        # "meta" values. these will shape the header, but the values are not included in the header.
+         preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+
+         # directive values: these values will directly translate into source directives
+         default_src: %w(https: 'self'),
+         base_uri: %w('self'),
+         block_all_mixed_content: false, # see http://www.w3.org/TR/mixed-content/
+         child_src: ["*"],
+         connect_src: ["*"],
+         font_src: %w('self'),
+         form_action: %w('self'),
+         frame_ancestors: %w('none'),
+         img_src: %w('self' piwik.standardnotes.org data:),
+         manifest_src: %w('self'),
+         media_src: %w('self'),
+         object_src: %w('self'),
+         plugin_types: %w(),
+         script_src: %w('self' 'unsafe-inline' piwik.standardnotes.org),
+         style_src: %w(* 'unsafe-inline'),
+         upgrade_insecure_requests: false, # see https://www.w3.org/TR/upgrade-insecure-requests/
+      }
+    end
+
     # config.middleware.use Rack::Deflater
 
     config.middleware.insert_before(Rack::Sendfile, Rack::Deflater)
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 54a611321..5f32d7df6 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -1,6 +1,8 @@
 Rails.application.configure do
   # Settings specified here will take precedence over those in config/application.rb.
 
+  config.force_ssl = true
+
   # Code is not reloaded between requests.
   config.cache_classes = true