From 4da1c78bb77a6f02179433cf24ce4b1235d13abd Mon Sep 17 00:00:00 2001
From: Benjamin Neff <benjamin@coding4coffee.ch>
Date: Thu, 8 Sep 2016 02:00:34 +0200
Subject: [PATCH] Add secure_header gem to add some security related headers

basic config for Content Security Policies
---
 Gemfile                               |  8 ++++----
 Gemfile.lock                          |  5 ++++-
 config.ru                             |  1 -
 config/initializers/secure_headers.rb | 19 +++++++++++++++++++
 4 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100644 config/initializers/secure_headers.rb

diff --git a/Gemfile b/Gemfile
index 873178880..5a667751c 100644
--- a/Gemfile
+++ b/Gemfile
@@ -137,6 +137,10 @@ gem "twitter-text",      "1.14.0"
 gem "ruby-oembed",       "0.10.1"
 gem "open_graph_reader", "0.6.1"
 
+# Security Headers
+
+gem "secure_headers", "3.4.1"
+
 # Services
 
 gem "omniauth",           "1.3.1"
@@ -211,10 +215,6 @@ group :production do # we don"t install these on travis to speed up test runs
   gem "rack-google-analytics", "1.2.0"
   gem "rack-piwik",            "0.3.0",  require: "rack/piwik"
 
-  # Click-jacking protection
-
-  gem "rack-protection", "1.5.3"
-
   # Process management
 
   gem "eye", "0.8.1"
diff --git a/Gemfile.lock b/Gemfile.lock
index 038bb6c4f..d398a53f8 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -780,6 +780,8 @@ GEM
     scss_lint (0.49.0)
       rake (>= 0.9, < 12)
       sass (~> 3.4.20)
+    secure_headers (3.4.1)
+      useragent
     securecompare (1.0.0)
     shellany (0.0.1)
     shoulda-matchers (3.1.1)
@@ -877,6 +879,7 @@ GEM
       get_process_mem (~> 0)
       unicorn (>= 4, < 6)
     url_safe_base64 (0.2.2)
+    useragent (0.16.8)
     uuid (2.3.8)
       macaddr (~> 1.0)
     valid (1.2.0)
@@ -993,7 +996,6 @@ DEPENDENCIES
   rack-cors (= 0.4.0)
   rack-google-analytics (= 1.2.0)
   rack-piwik (= 0.3.0)
-  rack-protection (= 1.5.3)
   rack-rewrite (= 1.5.1)
   rack-ssl (= 1.4.1)
   rails (= 4.2.7.1)
@@ -1026,6 +1028,7 @@ DEPENDENCIES
   ruby-oembed (= 0.10.1)
   rubyzip (= 1.2.0)
   sass-rails (= 5.0.6)
+  secure_headers (= 3.4.1)
   shoulda-matchers (= 3.1.1)
   sidekiq (= 4.1.4)
   sidekiq-cron (= 0.4.2)
diff --git a/config.ru b/config.ru
index 2f5ac99d8..44a140077 100644
--- a/config.ru
+++ b/config.ru
@@ -17,6 +17,5 @@ if defined?(Unicorn)
 end
 use Rack::Deflater
 use Rack::InternetExplorerVersion, minimum: 9
-use Rack::Protection::FrameOptions
 
 run Diaspora::Application
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
new file mode 100644
index 000000000..bdf5cd571
--- /dev/null
+++ b/config/initializers/secure_headers.rb
@@ -0,0 +1,19 @@
+SecureHeaders::Configuration.default do |config|
+  config.hsts = SecureHeaders::OPT_OUT # added by Rack::SSL
+
+  config.csp = {
+    default_src:     %w('none'),
+    child_src:       %w('self' www.youtube.com w.soundcloud.com twitter.com platform.twitter.com syndication.twitter.com
+                        player.vimeo.com www.mixcloud.com www.dailymotion.com media.ccc.de bandcamp.com
+                        www.instagram.com),
+    connect_src:     %w('self' embedr.flickr.com geo.query.yahoo.com nominatim.openstreetmap.org api.github.com),
+    font_src:        %w('self'),
+    form_action:     %w('self' platform.twitter.com syndication.twitter.com),
+    frame_ancestors: %w('self'),
+    img_src:         %w('self' data: *),
+    media_src:       %w(https:),
+    script_src:      %w('self' 'unsafe-eval' platform.twitter.com cdn.syndication.twimg.com widgets.flickr.com
+                        embedr.flickr.com platform.instagram.com),
+    style_src:       %w('self' 'unsafe-inline' platform.twitter.com *.twimg.com)
+  }
+end