Load CSP from a config file.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: jlledom

.dockerignore

@@ -32,6 +32,7 @@ config/backend_redis.yml
 config/cache_store.yml
 config/core.yml
 config/cors.yml
+/config/content_security_policy.yml
 config/currencies.yml
 config/database.yml
 config/domain_substitution.yml

.gitignore

@@ -52,6 +52,7 @@ C:\\nppdf32Log\\debuglog.txt
 /config/cache_store.yml
 /config/core.yml
 /config/cors.yml
+/config/content_security_policy.yml
 /config/currencies.yml
 /config/database.yml
 /config/domain_substitution.yml

config/application.rb

@@ -256,6 +256,10 @@ def cache_store_config
     config.three_scale.cors.enabled = false
     config.three_scale.cors.merge!(try_config_for(:cors) || {})
 
+    config.three_scale.content_security_policy = ActiveSupport::OrderedOptions.new
+    config.three_scale.content_security_policy.enabled = false
+    config.three_scale.content_security_policy.merge!(try_config_for(:content_security_policy) || {})
+
     three_scale = config_for(:settings)
 
     three_scale[:error_reporting_stages] = three_scale[:error_reporting_stages].to_s.split(/\W+/)

config/examples/content_security_policy.yml

@@ -0,0 +1,33 @@
+base: &default
+  enabled: true
+  report_only: false
+
+  # Admin portal policy - restrictive but allows unsafe-inline/eval for existing code
+  # Dynamically includes RAILS_ASSET_HOST for CDN assets if configured
+  admin_portal_policy:
+    default_src: ["'self'"]
+    script_src: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "<%= ENV['RAILS_ASSET_HOST'] %>"]
+    style_src: ["'self'", "'unsafe-inline'", "<%= ENV['RAILS_ASSET_HOST'] %>"]
+    font_src: ["'self'", "data:", "<%= ENV['RAILS_ASSET_HOST'] %>"]
+    img_src: ["'self'", "data:", "blob:", "https:"]
+    connect_src: ["'self'"]
+    frame_src: ["'self'"]
+    frame_ancestors: ["'none'"]
+    object_src: ["'none'"]
+    base_uri: ["'self'"]
+
+  # Developer portal policy - permissive defaults for customization
+  developer_portal_policy:
+    default_src: [ "*", "data:", "mediastream:", "blob:", "filesystem:", "ws:", "wss:", "'unsafe-eval'", "'unsafe-inline'" ]
+
+development:
+  <<: *default
+  enabled: true
+
+test:
+  <<: *default
+  enabled: true
+
+production:
+  <<: *default
+  enabled: true

config/initializers/content_security_policy.rb

@@ -1,31 +1,32 @@
-# Be sure to restart your server when you modify this file.
+# frozen_string_literal: true
 
-# Define an application-wide content security policy.
-# See the Securing Rails Applications Guide for more information:
-# https://guides.rubyonrails.org/security.html#content-security-policy-header
+# Configure Content Security Policy headers
+# See: https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-Rails.application.config.to_prepare do
-  Rails.application.config.content_security_policy do |policy|
-    policy.default_src '*', :data, :mediastream, :blob, :filesystem, :ws, :wss, :unsafe_eval, :unsafe_inline
+require_dependency 'three_scale/content_security_policy'
+
+if ThreeScale::ContentSecurityPolicy::AdminPortal.enabled?
+  # Apply configurable CSP from YAML
+  Rails.application.configure do
+    # Set report-only mode if configured
+    config.content_security_policy_report_only = true if ThreeScale::ContentSecurityPolicy::AdminPortal.report_only?
   end
-end
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src style-src)
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+  # Apply global CSP policy from configuration
+  Rails.application.config.to_prepare do
+    policy_config = ThreeScale::ContentSecurityPolicy::AdminPortal.policy_config
+
+    if policy_config.present?
+      Rails.application.config.content_security_policy do |policy|
+        ThreeScale::ContentSecurityPolicy::AdminPortal.add_policy_config(policy, policy_config)
+      end
+    end
+  end
+else
+  # Fallback to permissive policy when config is disabled
+  Rails.application.config.to_prepare do
+    Rails.application.config.content_security_policy do |policy|
+      policy.default_src '*', :data, :mediastream, :blob, :filesystem, :ws, :wss, :unsafe_eval, :unsafe_inline
+    end
+  end
+end

config/initializers/inflections.rb

@@ -23,6 +23,7 @@
   inflect.acronym 'GitHub'
   inflect.acronym 'SSO'
   inflect.acronym 'OIDC' # OpenID Connect
+  inflect.acronym 'CSP' # Content Security Policy
 end
 
 # These inflection rules are supported but not enabled by default:

lib/developer_portal/lib/developer_portal/engine.rb

@@ -1,10 +1,17 @@
+# frozen_string_literal: true
+
+require 'three_scale/middleware/developer_portal_csp'
+
 module DeveloperPortal
   class Engine < ::Rails::Engine
     isolate_namespace DeveloperPortal
 
     config.autoload_paths += %W(#{config.root.join('lib')})
     config.paths.add 'lib', eager_load: true
 
+    # Apply Developer Portal specific CSP policy
+    config.middleware.use ThreeScale::Middleware::DeveloperPortalCSP
+
     initializer :assets do |config|
       Rails.application.config.assets.precompile += %w{ stats.css }
       Rails.application.config.assets.precompile += %w{ stats.js }

lib/developer_portal/lib/three_scale/middleware/developer_portal_csp.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module ThreeScale
+  module Middleware
+    class DeveloperPortalCSP
+      def initialize(app)
+        @app = app
+
+        # Pre-compute the CSP header once at startup since we don't use nonces or dynamic sources
+        @csp_header_name, @csp_header_value = compute_csp_header
+      end
+
+      def call(env)
+        request = ActionDispatch::Request.new(env)
+
+        # We want to apply CSP only for HTML requests. However, we can't just return
+        # because Rails will add global CSP policy (admin portal policy) to the response
+        # if we don't do anything. We disable CSP for this request to prevent Rails middleware
+        # to interfere.
+        unless request.format.html?
+          request.content_security_policy = false
+          return @app.call(env)
+        end
+
+        status, headers, _body = response = @app.call(env)
+
+        # Don't apply CSP to 304 responses to avoid cache issues
+        return response if status == 304
+
+        # Only apply if we have a pre-computed CSP header
+        headers[@csp_header_name] = @csp_header_value if @csp_header_value
+
+        response
+      end
+
+      private
+
+      def compute_csp_header
+        # Only compute if enabled and there's a policy configured
+        policy_config = ThreeScale::ContentSecurityPolicy::DeveloperPortal.policy_config
+        return [nil, nil] unless ThreeScale::ContentSecurityPolicy::DeveloperPortal.enabled? && policy_config.present?
+
+        # Build the policy once at initialization
+        policy = ThreeScale::ContentSecurityPolicy::DeveloperPortal.build_policy(policy_config)
+        header_name = if ThreeScale::ContentSecurityPolicy::DeveloperPortal.report_only?
+                        ActionDispatch::Constants::CONTENT_SECURITY_POLICY_REPORT_ONLY
+                      else
+                        ActionDispatch::Constants::CONTENT_SECURITY_POLICY
+                      end
+        header_value = policy.build
+
+        [header_name, header_value]
+      end
+    end
+  end
+end

lib/three_scale/content_security_policy.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module ThreeScale
+  module ContentSecurityPolicy
+    class Base
+      class << self
+        def config
+          @config ||= Rails.configuration.three_scale.content_security_policy
+        end
+
+        def enabled?
+          config&.enabled == true
+        end
+
+        def policy_config
+          raise NoMethodError, "#{__method__} not implemented in #{self.class}"
+        end
+
+        def report_only?
+          config&.report_only == true
+        end
+
+        # Builds an ActionDispatch::ContentSecurityPolicy object from a policy configuration hash
+        def build_policy(policy_config)
+          ActionDispatch::ContentSecurityPolicy.new do |policy|
+            add_policy_config(policy, policy_config)
+          end
+        end
+
+        # Applies a policy configuration hash to an existing policy object
+        def add_policy_config(policy, policy_config)
+          policy_config.each do |directive, values|
+            method_name = directive.to_s
+            next unless policy.respond_to?(method_name)
+
+            # Handle directives with sources (arrays) vs boolean directives
+            if values.is_a?(Array)
+              policy.public_send(method_name, *values)
+            else
+              policy.public_send(method_name, values)
+            end
+          end
+        end
+      end
+    end
+
+    class AdminPortal < Base
+      class << self
+        def policy_config
+          config&.admin_portal_policy&.to_h || {}
+        end
+      end
+    end
+
+    class DeveloperPortal < Base
+      class << self
+        def policy_config
+          config&.developer_portal_policy&.to_h || {}
+        end
+      end
+    end
+  end
+end