From d07251d66eb18bcbfcf60e2d1737a2e10fa69c42 Mon Sep 17 00:00:00 2001
From: Kait Sewell <36549923+K8Sewell@users.noreply.github.com>
Date: Mon, 13 Jan 2025 15:41:01 -0600
Subject: [PATCH] Adds Custom CSP (#1472)

* Add custom csp

* Add custom csp for font awesome and inline JS

* reset to not use nonce directive
---
 app/controllers/admin_sets_controller.rb            |  9 +++++++++
 app/controllers/child_objects_controller.rb         |  9 +++++++++
 app/controllers/management_controller.rb            |  9 +++++++++
 app/controllers/parent_objects_controller.rb        |  9 +++++++++
 app/controllers/permission_requests_controller.rb   | 13 +++++++++++++
 app/controllers/permission_sets_controller.rb       |  9 +++++++++
 app/controllers/preservica_ingests_controller.rb    |  9 +++++++++
 app/controllers/problem_reports_controller.rb       |  9 +++++++++
 .../redirected_parent_objects_controller.rb         |  9 +++++++++
 app/controllers/users_controller.rb                 |  9 +++++++++
 app/controllers/versions_controller.rb              |  9 +++++++++
 config/initializers/content_security_policy.rb      | 12 +++++-------
 12 files changed, 108 insertions(+), 7 deletions(-)

diff --git a/app/controllers/admin_sets_controller.rb b/app/controllers/admin_sets_controller.rb
index ed8095d36..9c3294f16 100644
--- a/app/controllers/admin_sets_controller.rb
+++ b/app/controllers/admin_sets_controller.rb
@@ -4,6 +4,15 @@ class AdminSetsController < ApplicationController
   load_and_authorize_resource
   before_action :set_admin_set, only: [:show, :edit, :update, :destroy]
 
+  # Allows FontAwesome icons to render
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /admin_sets
   # GET /admin_sets.json
   def index
diff --git a/app/controllers/child_objects_controller.rb b/app/controllers/child_objects_controller.rb
index 7eb9fb7da..af520b3e2 100644
--- a/app/controllers/child_objects_controller.rb
+++ b/app/controllers/child_objects_controller.rb
@@ -5,6 +5,15 @@ class ChildObjectsController < ApplicationController
   before_action :set_paper_trail_whodunnit
   load_and_authorize_resource except: [:new, :create, :update_checksum]
 
+  # Allows FontAwesome icons to render on child object datatable
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /child_objects
   # GET /child_objects.json
   def index
diff --git a/app/controllers/management_controller.rb b/app/controllers/management_controller.rb
index ae89a39db..d445e65c7 100644
--- a/app/controllers/management_controller.rb
+++ b/app/controllers/management_controller.rb
@@ -3,6 +3,15 @@
 class ManagementController < ApplicationController
   skip_before_action :authenticate_user!
 
+  # Allows FontAwesome icons to render in header
+  content_security_policy(only: [:index, :show]) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   def index
     @batch_process = BatchProcess.new
   end
diff --git a/app/controllers/parent_objects_controller.rb b/app/controllers/parent_objects_controller.rb
index b05d88ce7..5a9450633 100644
--- a/app/controllers/parent_objects_controller.rb
+++ b/app/controllers/parent_objects_controller.rb
@@ -6,6 +6,15 @@ class ParentObjectsController < ApplicationController
   before_action :set_permission_set, only: [:edit, :update]
   load_and_authorize_resource except: [:solr_document, :new, :create, :update_metadata, :all_metadata, :reindex, :select_thumbnail, :update_manifests, :update_digital_objects]
 
+  # Allows FontAwesome icons to render on datatable and show pages
+  content_security_policy(only: [:index, :show]) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /parent_objects
   # GET /parent_objects.json
   def index
diff --git a/app/controllers/permission_requests_controller.rb b/app/controllers/permission_requests_controller.rb
index a58095b25..4144f6f74 100644
--- a/app/controllers/permission_requests_controller.rb
+++ b/app/controllers/permission_requests_controller.rb
@@ -4,6 +4,19 @@ class PermissionRequestsController < ApplicationController
   load_and_authorize_resource class: OpenWithPermission::PermissionRequest
   before_action :set_permission_request, only: [:show, :edit, :update, :destroy]
 
+  # Allows inline JS to function on show/edit page and allows FontAwesome icons to render on datatable
+  content_security_policy do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+
+    config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
+
+    config.content_security_policy_nonce_directives = %w[script-src]
+  end
+
   # GET /permission_requests
   # GET /permission_requests.json
   def index
diff --git a/app/controllers/permission_sets_controller.rb b/app/controllers/permission_sets_controller.rb
index 809722f4c..99fa67bc6 100644
--- a/app/controllers/permission_sets_controller.rb
+++ b/app/controllers/permission_sets_controller.rb
@@ -6,6 +6,15 @@ class PermissionSetsController < ApplicationController
   before_action :set_permission_set, only: [:show, :edit, :update, :destroy, :permission_set_terms, :post_permission_set_terms, :new_term, :deactivate_permission_set_terms]
   # rubocop:enable Layout/LineLength
 
+  # Allows FontAwesome icons to render on all permission set and permission set terms pages
+  content_security_policy do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /permission_sets
   # GET /permission_sets.json
   def index
diff --git a/app/controllers/preservica_ingests_controller.rb b/app/controllers/preservica_ingests_controller.rb
index 5b29162ca..aeea1f13d 100644
--- a/app/controllers/preservica_ingests_controller.rb
+++ b/app/controllers/preservica_ingests_controller.rb
@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class PreservicaIngestsController < ApplicationController
+  # Allows FontAwesome icons to render on index
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /preservica_ingest
   # GET /preservica_ingest.json
   def index
diff --git a/app/controllers/problem_reports_controller.rb b/app/controllers/problem_reports_controller.rb
index 014518a0a..ef0c0faa0 100644
--- a/app/controllers/problem_reports_controller.rb
+++ b/app/controllers/problem_reports_controller.rb
@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class ProblemReportsController < ApplicationController
+  # Allows FontAwesome icons to render on datatable
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /problem_reports
   # GET /problem_reports.json
   def index
diff --git a/app/controllers/redirected_parent_objects_controller.rb b/app/controllers/redirected_parent_objects_controller.rb
index 51e5a7c58..e7affb697 100644
--- a/app/controllers/redirected_parent_objects_controller.rb
+++ b/app/controllers/redirected_parent_objects_controller.rb
@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class RedirectedParentObjectsController < ApplicationController
+  # Allows FontAwesome icons to render on datatable and show pages
+  content_security_policy(only: [:index, :show]) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   # GET /redirected_parent_objects
   # GET /redirected_parent_objects.json
   def index
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 4560045ce..d6957c9cd 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -4,6 +4,15 @@ class UsersController < ApplicationController
   load_and_authorize_resource
   before_action :set_user, only: [:edit, :update, :show]
 
+  # Allows FontAwesome icons to render on index
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   def index
     respond_to do |format|
       format.html
diff --git a/app/controllers/versions_controller.rb b/app/controllers/versions_controller.rb
index 115e33d2d..63f2e84ab 100644
--- a/app/controllers/versions_controller.rb
+++ b/app/controllers/versions_controller.rb
@@ -1,6 +1,15 @@
 # frozen_string_literal: true
 
 class VersionsController < ApplicationController
+  # Allows FontAwesome icons to render on index
+  content_security_policy(only: :index) do |policy|
+    policy.script_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline
+    policy.script_src_elem  :self, :unsafe_inline
+    policy.style_src :self, :unsafe_inline
+    policy.style_src_elem :self, :unsafe_inline
+  end
+
   def index
     parent_object = ParentObject.find(params[:parent_object_id])
     batch_connections = parent_object.batch_connections
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index a6cb1b9ff..3420982ff 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -9,14 +9,12 @@
     config.content_security_policy do |policy|
       policy.default_src :self, :https
       policy.font_src    :self, 'static.library.yale.edu'
-      policy.img_src     :self, :https, :data
+      policy.img_src     :self, :https, :data, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
       policy.object_src  :none
-      policy.script_src  :self, :unsafe_inline, 'siteimproveanalytics.com'
-      policy.script_src_attr  :self, :unsafe_inline
-      policy.script_src_elem  :self, :unsafe_inline
-      policy.style_src :self, :unsafe_inline
-      policy.style_src_elem :self, :unsafe_inline
-      policy.connect_src :self
+      policy.script_src  :self, 'siteimproveanalytics.com'
+      policy.style_src :self
+      policy.style_src_elem :self, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
+      policy.connect_src :self, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
       # Specify URI for violation reports
       unless ENV['CLUSTER_NAME'] == 'local'
         policy.report_uri lambda {