Add settings for CSP to diaspora.yml

closes #7128
2016-09-29 02:51:33 +02:00 · 2016-09-29 02:51:33 +02:00 · ec8a49b338
commit ec8a49b338
parent caef670934
4 changed files with 27 additions and 0 deletions
--- a/Changelog.md
+++ b/Changelog.md
@ -42,6 +42,7 @@ Note: Although this is a minor release, the configuration file changed because t
 * Don't federate to pods that have been offline for an extended period of time [#7120](https://github.com/diaspora/diaspora/pull/7120)
 * Add In-Reply-To and References headers to notification mails [#7122](https://github.com/diaspora/diaspora/pull/7122)
 * Directly link to a comment in commented notification mails [#7124](https://github.com/diaspora/diaspora/pull/7124)
+* Add optional `Content-Security-Policy` header [#7128](https://github.com/diaspora/diaspora/pull/7128)

 # 0.6.0.1

--- a/config/defaults.yml
+++ b/config/defaults.yml
@ -148,6 +148,9 @@ defaults:
    default_metas:
      title: 'diaspora* social network'
      description: 'diaspora* is the online social world where you are in control.'
+    csp:
+      report_only: true
+      report_uri:
  services:
    facebook:
      enable: false
--- a/config/diaspora.yml.example
+++ b/config/diaspora.yml.example
@ -551,6 +551,26 @@ configuration: ## Section
      #title: 'diaspora* social network'
      #description: 'diaspora* is the online social world where you are in control.'

+    ## CSP (Content Security Policy) header
+    ## CSP allows limiting origins from where resources are allowed to be loaded. This
+    ## improves security, since it helps to detect and mitigate cross-site scripting
+    ## and data injection attacks. The default policy of diaspora* allows all third
+    ## party domains from services that are included in diaspora*, like OEmbed
+    ## scripts, so you can safely activate it by setting `report_only` to false. If
+    ## you customized diaspora* (edited templates or added own JS), additional work
+    ## may be required. You can test the policy with the "report_uri". Our default CSP
+    ## does not work with Google analytics or Piwik, because they inject JS code that
+    ## is blocked by CSP.
+    csp:
+      ## Report-Only header (default=true)
+      ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set
+      ## this to false, the "Content-Security-Policy" header is added instead.
+      #report_only: false
+
+      ## CSP report URI (default=)
+      ## You can set an URI here, where the user agent reports violations as JSON document via a POST request.
+      #report_uri: "/csp_violation_reports"
+
  ## Posting from Diaspora to external services (all are disabled by default).
  services: ## Section

--- a/config/initializers/secure_headers.rb
+++ b/config/initializers/secure_headers.rb
@ -40,6 +40,9 @@ SecureHeaders::Configuration.default do |config|
  config.csp[:script_src] << "static.chartbeat.com" if AppConfig.privacy.chartbeat_uid.present?
  config.csp[:form_action] << "www.paypal.com" if AppConfig.settings.paypal_donations.enable?

+  config.csp[:report_only] = AppConfig.settings.csp.report_only?
+  config.csp[:report_uri] = [AppConfig.settings.csp.report_uri] if AppConfig.settings.csp.report_uri.present?
+
  # Add frame-src but don't spam the log with DEPRECATION warnings.
  # We need frame-src to support older versions of Chrome, because secure_headers handles all Chrome browsers as
  # "modern" browser, and ignores the version of the browser. We can drop this once we support only Chrome