github-education-resources · anglinb · Sep 24, 2017 · Sep 24, 2017 · Sep 24, 2017 · Sep 24, 2017
diff --git a/Gemfile b/Gemfile
@@ -27,7 +27,7 @@ gem "flipper-ui", "~> 0.10.2"
 
 gem "geo_pattern", "~> 1.4"
 
-gem "jquery-datetimepicker-rails", "~> 2.4", ">= 2.4.1.0"
+gem "jquery-datetimepicker-rails", git: "git://github.com/anglinb/jquery-datetimepicker-rails.git", tag: "v2.5.4.0"
 gem "jquery-turbolinks", "~> 2.1"
 
 gem "kaminari", "~> 1.0", ">= 1.0.1"
@@ -57,9 +57,10 @@ gem "rails-i18n", "~> 5.0", ">= 5.0.1"
 gem "redis-namespace", "~> 1.5", ">= 1.5.3"
 gem "ruby-progressbar", "~> 1.8", ">= 1.8.1", require: false
 
-gem "sass-rails", "~> 5.0", ">= 5.0.6"
-gem "sidekiq", "~> 5.0", ">= 5.0.4"
-gem "sprockets", "~> 3.7", ">= 3.7.1"
+gem "sass-rails", "~> 5.0", ">= 5.0.6"
+gem "secure_headers", "~> 4.0", ">= 4.0.0"
+gem "sidekiq", "~> 5.0", ">= 5.0.4"
+gem "sprockets", "~> 3.7", ">= 3.7.1"
 
 gem "turbolinks", github: "turbolinks/turbolinks-classic", ref: "37a7c296232d20a61bd1946f600da7f2009189db"
 gem "typhoeus", "~> 1.3"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,3 +1,10 @@
+GIT
+ remote: git://github.com/anglinb/jquery-datetimepicker-rails.git
+ revision: 535e81708a45ef077b408b6e5a5c47196cbf911f
+ tag: v2.5.4.0
+ specs:
+ jquery-datetimepicker-rails (2.5.4.0)
+
 GIT
  remote: https://github.com/Soliah/peek-sidekiq.git
  revision: 261c857578ae6dc189506a35194785a4db51e54c
@@ -187,7 +194,6 @@ GEM
  hashdiff (0.3.6)
  hashie (3.5.6)
  i18n (0.8.6)
- jquery-datetimepicker-rails (2.4.1.0)
  jquery-turbolinks (2.1.0)
  railties (>= 3.1.0)
  turbolinks
@@ -390,6 +396,8 @@ GEM
  scss_lint (0.54.0)
  rake (>= 0.9, < 13)
  sass (~> 3.4.20)
+ secure_headers (4.0.0)
+ useragent (>= 0.15.0)
  shellany (0.0.1)
  sidekiq (5.0.4)
  concurrent-ruby (~> 1.0)
@@ -427,6 +435,7 @@ GEM
  execjs (>= 0.3.0, < 3)
  unicode-display_width (1.3.0)
  uniform_notifier (1.10.0)
+ useragent (0.16.8)
  vcr (3.0.3)
  web-console (3.5.1)
  actionview (>= 5.0)
@@ -466,7 +475,7 @@ DEPENDENCIES
  foreman (~> 0.84.0)
  geo_pattern (~> 1.4)
  guard-rspec (~> 4.7, >= 4.7.3)
- jquery-datetimepicker-rails (~> 2.4, >= 2.4.1.0)
+ jquery-datetimepicker-rails!
  jquery-turbolinks (~> 2.1)
  kaminari (~> 1.0, >= 1.0.1)
  knapsack (~> 1.14, >= 1.14.1)
@@ -502,6 +511,7 @@ DEPENDENCIES
  ruby-progressbar (~> 1.8, >= 1.8.1)
  sass-rails (~> 5.0, >= 5.0.6)
  scss_lint (~> 0.54.0)
+ secure_headers (~> 4.0, >= 4.0.0)
  sidekiq (~> 5.0, >= 5.0.4)
  simplecov (~> 0.15.0)
  spring (~> 2.0, >= 2.0.2)

diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb
@@ -6,6 +6,10 @@ class PagesController < ApplicationController
  skip_before_action :authenticate_user!
 
  def home
- redirect_to organizations_path if logged_in?
+ if logged_in?
+ redirect_to organizations_path
+ else
+ use_content_security_policy_named_append(:unauthed_video)
+ end
  end
 end
diff --git a/config/initializers/secure_headers.rb b/config/initializers/secure_headers.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# Setup Secure Headers with default values
+SecureHeaders::Configuration.default do |config|
+ config.csp = {
+ default_src: ["https:", "'self'"],
+ style_src: ["'self',", "'unsafe-inline'"],
+ script_src: ["'self'"],
+ img_src: ["'self'", "data:", "*.githubusercontent.com"]
+ }
+end
+
+# Provide additional permissions on home page for video
+# `unauthed_video`
+SecureHeaders::Configuration.named_append(:unauthed_video) do
+ {
+ script_src: ["https://www.youtube.com", "https://s.ytimg.com"],
+ child_src: ["https://www.youtube.com", "https://s.ytimg.com"]
+ }
+end