From ec8a49b338b73fa67b7eb08f74fb7b87fa9a514b Mon Sep 17 00:00:00 2001 From: Benjamin Neff Date: Thu, 29 Sep 2016 02:51:33 +0200 Subject: [PATCH] Add settings for CSP to diaspora.yml closes #7128 --- Changelog.md | 1 + config/defaults.yml | 3 +++ config/diaspora.yml.example | 20 ++++++++++++++++++++ config/initializers/secure_headers.rb | 3 +++ 4 files changed, 27 insertions(+) diff --git a/Changelog.md b/Changelog.md index b285e50b6..e04c7a1af 100644 --- a/Changelog.md +++ b/Changelog.md @@ -42,6 +42,7 @@ Note: Although this is a minor release, the configuration file changed because t * Don't federate to pods that have been offline for an extended period of time [#7120](https://github.com/diaspora/diaspora/pull/7120) * Add In-Reply-To and References headers to notification mails [#7122](https://github.com/diaspora/diaspora/pull/7122) * Directly link to a comment in commented notification mails [#7124](https://github.com/diaspora/diaspora/pull/7124) +* Add optional `Content-Security-Policy` header [#7128](https://github.com/diaspora/diaspora/pull/7128) # 0.6.0.1 diff --git a/config/defaults.yml b/config/defaults.yml index 886f5ba80..24dbe5432 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -148,6 +148,9 @@ defaults: default_metas: title: 'diaspora* social network' description: 'diaspora* is the online social world where you are in control.' + csp: + report_only: true + report_uri: services: facebook: enable: false diff --git a/config/diaspora.yml.example b/config/diaspora.yml.example index 830f6a15a..25f7291a2 100644 --- a/config/diaspora.yml.example +++ b/config/diaspora.yml.example @@ -551,6 +551,26 @@ configuration: ## Section #title: 'diaspora* social network' #description: 'diaspora* is the online social world where you are in control.' + ## CSP (Content Security Policy) header + ## CSP allows limiting origins from where resources are allowed to be loaded. This + ## improves security, since it helps to detect and mitigate cross-site scripting + ## and data injection attacks. The default policy of diaspora* allows all third + ## party domains from services that are included in diaspora*, like OEmbed + ## scripts, so you can safely activate it by setting `report_only` to false. If + ## you customized diaspora* (edited templates or added own JS), additional work + ## may be required. You can test the policy with the "report_uri". Our default CSP + ## does not work with Google analytics or Piwik, because they inject JS code that + ## is blocked by CSP. + csp: + ## Report-Only header (default=true) + ## By default diaspora* adds only a "Content-Security-Policy-Report-Only" header. If you set + ## this to false, the "Content-Security-Policy" header is added instead. + #report_only: false + + ## CSP report URI (default=) + ## You can set an URI here, where the user agent reports violations as JSON document via a POST request. + #report_uri: "/csp_violation_reports" + ## Posting from Diaspora to external services (all are disabled by default). services: ## Section diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb index 551059e81..cbc3721d1 100644 --- a/config/initializers/secure_headers.rb +++ b/config/initializers/secure_headers.rb @@ -40,6 +40,9 @@ SecureHeaders::Configuration.default do |config| config.csp[:script_src] << "static.chartbeat.com" if AppConfig.privacy.chartbeat_uid.present? config.csp[:form_action] << "www.paypal.com" if AppConfig.settings.paypal_donations.enable? + config.csp[:report_only] = AppConfig.settings.csp.report_only? + config.csp[:report_uri] = [AppConfig.settings.csp.report_uri] if AppConfig.settings.csp.report_uri.present? + # Add frame-src but don't spam the log with DEPRECATION warnings. # We need frame-src to support older versions of Chrome, because secure_headers handles all Chrome browsers as # "modern" browser, and ignores the version of the browser. We can drop this once we support only Chrome