Specs for minimal CSP policy in Api:: controllers (#27845)

2023-11-14 09:34:30 -05:00 · 2023-11-14 09:34:30 -05:00 · d562fb8459
commit d562fb8459
parent 4eb4e8b22c
3 changed files with 71 additions and 20 deletions
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@ -7,6 +7,7 @@ class Api::BaseController < ApplicationController
  include RateLimitHeaders
  include AccessTokenTrackingConcern
  include ApiCachingConcern
+  include Api::ContentSecurityPolicy

  skip_before_action :require_functional!, unless: :limited_federation_mode?

@ -17,26 +18,6 @@ class Api::BaseController < ApplicationController

  protect_from_forgery with: :null_session

-  content_security_policy do |p|
-    # Set every directive that does not have a fallback
-    p.default_src :none
-    p.frame_ancestors :none
-    p.form_action :none
-
-    # Disable every directive with a fallback to cut on response size
-    p.base_uri false
-    p.font_src false
-    p.img_src false
-    p.style_src false
-    p.media_src false
-    p.frame_src false
-    p.manifest_src false
-    p.connect_src false
-    p.script_src false
-    p.child_src false
-    p.worker_src false
-  end
-
  rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e|
    render json: { error: e.to_s }, status: 422
  end