Security headers, fix offline saving issue

2017-08-08 10:22:38 -05:00
parent 6dcaa9a151
commit 172780dcd3
5 changed files with 36 additions and 3 deletions
--- a/2
+++ b/2
@@ -7,6 +7,8 @@ gem 'sass'

 gem "non-stupid-digest-assets"

+gem 'secure_headers'
+
 gem 'uglifier'

 gem 'rack-cors', :require => 'rack/cors'
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -141,6 +141,8 @@ GEM
    sdoc (0.4.2)
      json (~> 1.7, >= 1.7.7)
      rdoc (~> 4.0)
+    secure_headers (3.6.7)
+      useragent
    sidekiq (4.2.7)
      concurrent-ruby (~> 1.0)
      connection_pool (~> 2.2, >= 2.2.0)
@@ -165,6 +167,7 @@ GEM
      thread_safe (~> 0.1)
    uglifier (3.0.3)
      execjs (>= 0.3.0, < 3)
+    useragent (0.16.8)
    web-console (2.3.0)
      activemodel (>= 4.0)
      binding_of_caller (>= 0.7.2)
@@ -196,6 +199,7 @@ DEPENDENCIES
  responders (~> 2.0)
  sass
  sdoc (~> 0.4.0)
+  secure_headers
  spring
  uglifier
  web-console (~> 2.0)
--- a/app/assets/javascripts/app/services/authManager.js
+++ b/app/assets/javascripts/app/services/authManager.js
@@ -53,9 +53,9 @@ angular.module('app.frontend')
      }

      this.protocolVersion = function() {
-        var version = this.getAuthParams().version;
-        if(version) {
-          return version;
+        var authParams = this.getAuthParams();
+        if(authParams && authParams.version) {
+          return authParams.version;
        }

        var keys = this.keys();
--- a/config/application.rb
+++ b/config/application.rb
@@ -39,6 +39,31 @@ module Neeto
      end
    end

+    SecureHeaders::Configuration.default do |config|
+      config.csp = {
+        # "meta" values. these will shape the header, but the values are not included in the header.
+         preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
+
+         # directive values: these values will directly translate into source directives
+         default_src: %w(https: 'self'),
+         base_uri: %w('self'),
+         block_all_mixed_content: false, # see http://www.w3.org/TR/mixed-content/
+         child_src: ["*"],
+         connect_src: ["*"],
+         font_src: %w('self'),
+         form_action: %w('self'),
+         frame_ancestors: %w('none'),
+         img_src: %w('self' piwik.standardnotes.org data:),
+         manifest_src: %w('self'),
+         media_src: %w('self'),
+         object_src: %w('self'),
+         plugin_types: %w(),
+         script_src: %w('self' 'unsafe-inline' piwik.standardnotes.org),
+         style_src: %w(* 'unsafe-inline'),
+         upgrade_insecure_requests: false, # see https://www.w3.org/TR/upgrade-insecure-requests/
+      }
+    end
+
    # config.middleware.use Rack::Deflater

    config.middleware.insert_before(Rack::Sendfile, Rack::Deflater)
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -1,6 +1,8 @@
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb.

+  config.force_ssl = true
+
  # Code is not reloaded between requests.
  config.cache_classes = true