Adds Custom CSP (#1472)

* Add custom csp

* Add custom csp for font awesome and inline JS

* reset to not use nonce directive

app/controllers/admin_sets_controller.rb

@@ -4,6 +4,15 @@ class AdminSetsController < ApplicationController
   load_and_authorize_resource
   before_action :set_admin_set, only: [:show, :edit, :update, :destroy]
 
+  # Allows FontAwesome icons to render
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /admin_sets
   # GET /admin_sets.json
   def index

app/controllers/child_objects_controller.rb

@@ -5,6 +5,15 @@ class ChildObjectsController < ApplicationController
   before_action :set_paper_trail_whodunnit
   load_and_authorize_resource except: [:new, :create, :update_checksum]
 
+  # Allows FontAwesome icons to render on child object datatable
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /child_objects
   # GET /child_objects.json
   def index

app/controllers/management_controller.rb

@@ -3,6 +3,15 @@
 class ManagementController < ApplicationController
   skip_before_action :authenticate_user!
 
+  # Allows FontAwesome icons to render in header
+  content_security_policy(only: [:index, :show]) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   def index
     @batch_process = BatchProcess.new
   end

app/controllers/parent_objects_controller.rb

@@ -6,6 +6,15 @@ class ParentObjectsController < ApplicationController
   before_action :set_permission_set, only: [:edit, :update]
   load_and_authorize_resource except: [:solr_document, :new, :create, :update_metadata, :all_metadata, :reindex, :select_thumbnail, :update_manifests, :update_digital_objects]
 
+  # Allows FontAwesome icons to render on datatable and show pages
+  content_security_policy(only: [:index, :show]) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /parent_objects
   # GET /parent_objects.json
   def index

app/controllers/permission_requests_controller.rb

@@ -4,6 +4,19 @@ class PermissionRequestsController < ApplicationController
   load_and_authorize_resource class: OpenWithPermission::PermissionRequest
   before_action :set_permission_request, only: [:show, :edit, :update, :destroy]
 
+  # Allows inline JS to function on show/edit page and allows FontAwesome icons to render on datatable
+  content_security_policy do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+
+    config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+
+    config.content_security_policy_nonce_directives = %w[script-src]
+  end
+
   # GET /permission_requests
   # GET /permission_requests.json
   def index

app/controllers/permission_sets_controller.rb

@@ -6,6 +6,15 @@ class PermissionSetsController < ApplicationController
   before_action :set_permission_set, only: [:show, :edit, :update, :destroy, :permission_set_terms, :post_permission_set_terms, :new_term, :deactivate_permission_set_terms]
   # rubocop:enable Layout/LineLength
 
+  # Allows FontAwesome icons to render on all permission set and permission set terms pages
+  content_security_policy do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /permission_sets
   # GET /permission_sets.json
   def index

app/controllers/preservica_ingests_controller.rb

@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class PreservicaIngestsController < ApplicationController
+  # Allows FontAwesome icons to render on index
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /preservica_ingest
   # GET /preservica_ingest.json
   def index

app/controllers/problem_reports_controller.rb

@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class ProblemReportsController < ApplicationController
+  # Allows FontAwesome icons to render on datatable
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /problem_reports
   # GET /problem_reports.json
   def index

app/controllers/redirected_parent_objects_controller.rb

@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class RedirectedParentObjectsController < ApplicationController
+  # Allows FontAwesome icons to render on datatable and show pages
+  content_security_policy(only: [:index, :show]) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /redirected_parent_objects
   # GET /redirected_parent_objects.json
   def index

app/controllers/users_controller.rb

@@ -4,6 +4,15 @@ class UsersController < ApplicationController
   load_and_authorize_resource
   before_action :set_user, only: [:edit, :update, :show]
 
+  # Allows FontAwesome icons to render on index
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   def index
     respond_to do |format|
       format.html

app/controllers/versions_controller.rb

@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class VersionsController < ApplicationController
+  # Allows FontAwesome icons to render on index
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   def index
     parent_object = ParentObject.find(params[:parent_object_id])
     batch_connections = parent_object.batch_connections

config/initializers/content_security_policy.rb

@@ -9,14 +9,12 @@
     config.content_security_policy do |policy|
       policy.default_src :self, :https
       policy.font_src    :self, 'static.library.yale.edu'
-      policy.img_src     :self, :https, :data
+      policy.img_src     :self, :https, :data, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
       policy.object_src  :none
-      policy.script_src  :self, :unsafe_inline, 'siteimproveanalytics.com'
-      policy.script_src_attr  :self, :unsafe_inline
-      policy.script_src_elem  :self, :unsafe_inline
-      policy.style_src :self, :unsafe_inline
-      policy.style_src_elem :self, :unsafe_inline
-      policy.connect_src :self
+      policy.script_src  :self, 'siteimproveanalytics.com'
+      policy.style_src :self
+      policy.style_src_elem :self, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
+      policy.connect_src :self, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
       # Specify URI for violation reports
       unless ENV['CLUSTER_NAME'] == 'local'
         policy.report_uri lambda {