diff --git a/Gemfile b/Gemfile index 4f6d0f858e..4f0ae98482 100644 --- a/Gemfile +++ b/Gemfile @@ -27,7 +27,7 @@ gem "flipper-ui", "~> 0.10.2" gem "geo_pattern", "~> 1.4" -gem "jquery-datetimepicker-rails", "~> 2.4", ">= 2.4.1.0" +gem "jquery-datetimepicker-rails", git: "git://github.com/anglinb/jquery-datetimepicker-rails.git", tag: "v2.5.4.0" gem "jquery-turbolinks", "~> 2.1" gem "kaminari", "~> 1.0", ">= 1.0.1" @@ -57,9 +57,10 @@ gem "rails-i18n", "~> 5.0", ">= 5.0.1" gem "redis-namespace", "~> 1.5", ">= 1.5.3" gem "ruby-progressbar", "~> 1.8", ">= 1.8.1", require: false -gem "sass-rails", "~> 5.0", ">= 5.0.6" -gem "sidekiq", "~> 5.0", ">= 5.0.4" -gem "sprockets", "~> 3.7", ">= 3.7.1" +gem "sass-rails", "~> 5.0", ">= 5.0.6" +gem "secure_headers", "~> 4.0", ">= 4.0.0" +gem "sidekiq", "~> 5.0", ">= 5.0.4" +gem "sprockets", "~> 3.7", ">= 3.7.1" gem "turbolinks", github: "turbolinks/turbolinks-classic", ref: "37a7c296232d20a61bd1946f600da7f2009189db" gem "typhoeus", "~> 1.3" diff --git a/Gemfile.lock b/Gemfile.lock index ae8ac9eea7..66821796dc 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,3 +1,10 @@ +GIT + remote: git://github.com/anglinb/jquery-datetimepicker-rails.git + revision: 535e81708a45ef077b408b6e5a5c47196cbf911f + tag: v2.5.4.0 + specs: + jquery-datetimepicker-rails (2.5.4.0) + GIT remote: https://github.com/Soliah/peek-sidekiq.git revision: 261c857578ae6dc189506a35194785a4db51e54c @@ -187,7 +194,6 @@ GEM hashdiff (0.3.6) hashie (3.5.6) i18n (0.8.6) - jquery-datetimepicker-rails (2.4.1.0) jquery-turbolinks (2.1.0) railties (>= 3.1.0) turbolinks @@ -390,6 +396,8 @@ GEM scss_lint (0.54.0) rake (>= 0.9, < 13) sass (~> 3.4.20) + secure_headers (4.0.0) + useragent (>= 0.15.0) shellany (0.0.1) sidekiq (5.0.4) concurrent-ruby (~> 1.0) @@ -427,6 +435,7 @@ GEM execjs (>= 0.3.0, < 3) unicode-display_width (1.3.0) uniform_notifier (1.10.0) + useragent (0.16.8) vcr (3.0.3) web-console (3.5.1) actionview (>= 5.0) @@ -466,7 +475,7 @@ DEPENDENCIES foreman (~> 0.84.0) geo_pattern (~> 1.4) guard-rspec (~> 4.7, >= 4.7.3) - jquery-datetimepicker-rails (~> 2.4, >= 2.4.1.0) + jquery-datetimepicker-rails! jquery-turbolinks (~> 2.1) kaminari (~> 1.0, >= 1.0.1) knapsack (~> 1.14, >= 1.14.1) @@ -502,6 +511,7 @@ DEPENDENCIES ruby-progressbar (~> 1.8, >= 1.8.1) sass-rails (~> 5.0, >= 5.0.6) scss_lint (~> 0.54.0) + secure_headers (~> 4.0, >= 4.0.0) sidekiq (~> 5.0, >= 5.0.4) simplecov (~> 0.15.0) spring (~> 2.0, >= 2.0.2) diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb index bc91189811..5a90540dc1 100644 --- a/app/controllers/pages_controller.rb +++ b/app/controllers/pages_controller.rb @@ -6,6 +6,10 @@ class PagesController < ApplicationController skip_before_action :authenticate_user! def home - redirect_to organizations_path if logged_in? + if logged_in? + redirect_to organizations_path + else + use_content_security_policy_named_append(:unauthed_video) + end end end diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb new file mode 100644 index 0000000000..0859564118 --- /dev/null +++ b/config/initializers/secure_headers.rb @@ -0,0 +1,20 @@ +# frozen_string_literal: true + +# Setup Secure Headers with default values +SecureHeaders::Configuration.default do |config| + config.csp = { + default_src: ["https:", "'self'"], + style_src: ["'self',", "'unsafe-inline'"], + script_src: ["'self'"], + img_src: ["'self'", "data:", "*.githubusercontent.com"] + } +end + +# Provide additional permissions on home page for video +# `unauthed_video` +SecureHeaders::Configuration.named_append(:unauthed_video) do + { + script_src: ["https://www.youtube.com", "https://s.ytimg.com"], + child_src: ["https://www.youtube.com", "https://s.ytimg.com"] + } +end