Add Customized CSP (#1079)

* Remove nonces * Add custom csp for mirador viewer * Add additional connect-src and remove unsafe inline * Add back unsafe inline for blacklight range limit * rubocop * Add exceptions for style
yalelibrary · Jan 13, 2025 · 52e98f3 · 52e98f3
1 parent a90fce4
commit 52e98f3
Show file tree

Hide file tree

Showing 10 changed files with 20 additions and 12 deletions.
diff --git a/app/controllers/mirador_controller.rb b/app/controllers/mirador_controller.rb
@@ -2,6 +2,14 @@
 class MiradorController < ApplicationController
   include BlacklightHelper
 
+  # Allows Mirador to use inline JS to open viewer in new tab
+  content_security_policy(only: :show) do |policy|
+    policy.script_src_attr  :self, :unsafe_inline, 'siteimproveanalytics.com www.googletagmanager.com'
+    policy.script_src_elem  :self, :unsafe_inline, 'siteimproveanalytics.com www.googletagmanager.com'    # policy.style_src :self, :unsafe_inline
+    policy.style_src_attr :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   def show
     @oid = number_or_nil params[:oid]
     @manifest = @oid ? manifest_url(@oid) : nil

diff --git a/app/views/application/landing.html.erb b/app/views/application/landing.html.erb
@@ -129,7 +129,7 @@
   </body>
 <% end %>
 
-<script nonce="<%= content_security_policy_nonce %>">
+<script>
 
 $(document).ready(function() {
     const images = [

diff --git a/app/views/catalog/_grouped_metadata.html.erb b/app/views/catalog/_grouped_metadata.html.erb
@@ -3,7 +3,7 @@
 </div>
 
 <% if @permission_set_terms.present? %>
-  <script nonce="<%= content_security_policy_nonce %>">
+  <script>
     let rights = document.querySelector('dd.blacklight-rights_ssim');
 
     function expandText() {

diff --git a/app/views/catalog/_schema_org_metadata.html.erb b/app/views/catalog/_schema_org_metadata.html.erb
@@ -1,3 +1,3 @@
-<script type="application/ld+json" nonce="<%= content_security_policy_nonce %>">
+<script type="application/ld+json">
   <%= raw metadata.to_json %>
 </script>
diff --git a/app/views/catalog/_uv.html.erb b/app/views/catalog/_uv.html.erb
@@ -23,7 +23,7 @@
 <div id='uv-pages'></div>
 <div id='parent-oid'><%= @document.id %></div>
 
-<script nonce="<%= content_security_policy_nonce %>">
+<script>
   $(document).ready(function(){
     window.addEventListener('message', (event) => {
       if (event.origin.match('<%= request.protocol %><%= request.host %>')) {

diff --git a/app/views/mirador/show.html.erb b/app/views/mirador/show.html.erb
@@ -4,13 +4,13 @@
   <%= render partial: 'shared/ga_header' %>
   <title>Yale Digital Collections Mirador Viewer</title>
   <meta name="robots" content="noindex"/>
-  <script src="/mirador.js" nonce="<%= content_security_policy_nonce %>"></script>
+  <script src="/mirador.js"></script>
 </head>
 <body>
   <%= render partial: 'shared/ga_body' %>
 <div id="my-mirador"/>
 
-<script type="text/javascript" nonce="<%= content_security_policy_nonce %>">
+<script type="text/javascript">
   let dc_mirador_config = {
       "id": "my-mirador"
   }

diff --git a/app/views/permission_requests/index.html.erb b/app/views/permission_requests/index.html.erb
@@ -46,7 +46,7 @@
   <% end %>
 </div>
 
-<script nonce="<%= content_security_policy_nonce %>">
+<script>
   function sortTable(n) {
     var table, rows, switching, i, x, y, shouldSwitch, dir, switchcount = 0;
     table = document.getElementById("permission-requests-table");

diff --git a/app/views/shared/_footer.html.erb b/app/views/shared/_footer.html.erb
@@ -53,7 +53,7 @@
     </div>
   </div>
 </div>
-<aside nonce="<%= content_security_policy_nonce %>">
+<aside>
   <div class="branch-name">
     Branch:<span title="SHA:<%=GIT_SHA%>"><%=ENV['BLACKLIGHT_VERSION']||GIT_BRANCH%></span>,Deployed:<%=DEPLOYED_AT%>
   </div>

diff --git a/app/views/shared/_ga_header.html.erb b/app/views/shared/_ga_header.html.erb
@@ -1,5 +1,5 @@
 <!-- Google Tag Manager -->
-<script nonce="<%= request.content_security_policy_nonce %>">
+<script>
 (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
 new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
 j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -11,13 +11,13 @@
       policy.font_src    :self, 'static.library.yale.edu'
       policy.img_src     :self, :https, :data, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
       policy.object_src  :none
-      policy.script_src  :self, :unsafe_inline, 'siteimproveanalytics.com www.googletagmanager.com'
+      policy.script_src  :self, 'siteimproveanalytics.com www.googletagmanager.com'
       policy.script_src_attr  :self, :unsafe_inline, 'www.googletagmanager.com'
       policy.script_src_elem  :self, :unsafe_inline, 'siteimproveanalytics.com www.googletagmanager.com'
       policy.style_src :self, :unsafe_inline
       policy.style_src_attr :self, :unsafe_inline
-      policy.style_src_elem :self, :unsafe_inline, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
-      policy.connect_src :self, "banner.library.yale.edu www.google-analytics.com #{ENV['IIIF_IMAGE_BASE_URL']}/"
+      policy.style_src_elem :self, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
+      policy.connect_src :self, "banner.library.yale.edu www.google-analytics.com region1.google-analytics.com #{ENV['IIIF_IMAGE_BASE_URL']}/"
 
       # Specify URI for violation reports
       unless ENV['CLUSTER_NAME'] == 'local'
-Original file line number
+Diff line change
@@ Expand Up / @@ -53,7 +53,7 @@ @@
         </div>
       </div>
     </div>
-    <aside nonce="<%= content_security_policy_nonce %>">
+    <aside>
       <div class="branch-name">
         Branch:<span title="SHA:<%=GIT_SHA%>"><%=ENV['BLACKLIGHT_VERSION']||GIT_BRANCH%></span>,Deployed:<%=DEPLOYED_AT%>
       </div>
@@ Expand Down @@