Load CSP from a config file.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: jlledom

.dockerignore

@@ -32,6 +32,7 @@ config/backend_redis.yml
 config/cache_store.yml
 config/core.yml
 config/cors.yml
+/config/content_security_policy.yml
 config/currencies.yml
 config/database.yml
 config/domain_substitution.yml

.gitignore

@@ -52,6 +52,7 @@ C:\\nppdf32Log\\debuglog.txt
 /config/cache_store.yml
 /config/core.yml
 /config/cors.yml
+/config/content_security_policy.yml
 /config/currencies.yml
 /config/database.yml
 /config/domain_substitution.yml

config/application.rb

@@ -256,6 +256,10 @@ def cache_store_config
     config.three_scale.cors.enabled = false
     config.three_scale.cors.merge!(try_config_for(:cors) || {})
 
+    config.three_scale.content_security_policy = ActiveSupport::OrderedOptions.new
+    config.three_scale.content_security_policy.enabled = false
+    config.three_scale.content_security_policy.merge!(try_config_for(:content_security_policy) || {})
+
     three_scale = config_for(:settings)
 
     three_scale[:error_reporting_stages] = three_scale[:error_reporting_stages].to_s.split(/\W+/)

config/examples/content_security_policy.yml

@@ -0,0 +1,36 @@
+base: &default
+  enabled: true
+
+  # Global CSP settings
+  report_only: false
+  report_uri: null
+  nonce_generator: true  # Enable nonce for inline scripts/styles
+  nonce_directives:
+    - script-src
+    - style-src
+
+  # CSP Policy Directives
+  policy:
+    default_src: ["'self'"]
+    script_src: ["'self'", "'unsafe-eval'", "'unsafe-inline'"]
+    style_src: ["'self'", "'unsafe-inline'"]
+    img_src: ["'self'", "data:", "https:"]
+    font_src: ["'self'", "data:"]
+    connect_src: ["'self'"]
+    frame_src: ["'self'"] # Needed for Swagger/ActiveDocs iframes
+    frame_ancestors: ["'self'"] # Modern replacement for X-Frame-Options: SAMEORIGIN
+    object_src: ["'none'"]
+    base_uri: ["'self'"]
+    form_action: ["'self'"]
+
+development:
+  <<: *default
+  enabled: false
+
+test:
+  <<: *default
+  enabled: false
+
+production:
+  <<: *default
+  enabled: true

config/initializers/content_security_policy.rb

@@ -1,31 +1,57 @@
-# Be sure to restart your server when you modify this file.
+# frozen_string_literal: true
 
-# Define an application-wide content security policy.
-# See the Securing Rails Applications Guide for more information:
-# https://guides.rubyonrails.org/security.html#content-security-policy-header
+# Configure Content Security Policy headers
+# See: https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-Rails.application.config.to_prepare do
-  Rails.application.config.content_security_policy do |policy|
-    policy.default_src '*', :data, :mediastream, :blob, :filesystem, :ws, :wss, :unsafe_eval, :unsafe_inline
+require_dependency 'three_scale/content_security_policy'
+
+if ThreeScale::ContentSecurityPolicy.enabled?
+  # Apply configurable CSP from YAML
+  Rails.application.configure do
+    # Configure nonce generation if enabled
+    if ThreeScale::ContentSecurityPolicy.nonce_enabled?
+      config.content_security_policy_nonce_generator = ->(request) {
+        SecureRandom.base64(16)
+      }
+
+      nonce_directives = ThreeScale::ContentSecurityPolicy.nonce_directives
+      config.content_security_policy_nonce_directives = nonce_directives unless nonce_directives.empty?
+    end
+
+    # Set report-only mode if configured
+    if ThreeScale::ContentSecurityPolicy.report_only?
+      config.content_security_policy_report_only = true
+    end
   end
-end
 
-# Rails.application.configure do
-#   config.content_security_policy do |policy|
-#     policy.default_src :self, :https
-#     policy.font_src    :self, :https, :data
-#     policy.img_src     :self, :https, :data
-#     policy.object_src  :none
-#     policy.script_src  :self, :https
-#     policy.style_src   :self, :https
-#     # Specify URI for violation reports
-#     # policy.report_uri "/csp-violation-report-endpoint"
-#   end
-#
-#   # Generate session nonces for permitted importmap, inline scripts, and inline styles.
-#   config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
-#   config.content_security_policy_nonce_directives = %w(script-src style-src)
-#
-#   # Report violations without enforcing the policy.
-#   # config.content_security_policy_report_only = true
-# end
+  # Apply global CSP policy from configuration
+  Rails.application.config.to_prepare do
+    policy_config = ThreeScale::ContentSecurityPolicy.policy_config
+
+    if policy_config.present?
+      Rails.application.config.content_security_policy do |policy|
+        # Apply each directive from YAML config
+        policy_config.each do |directive, sources|
+          next unless sources.is_a?(Array)
+
+          method_name = directive.to_s
+          if policy.respond_to?(method_name)
+            policy.public_send(method_name, *sources)
+          end
+        end
+
+        # Add report-uri if configured
+        if (uri = ThreeScale::ContentSecurityPolicy.report_uri)
+          policy.report_uri uri
+        end
+      end
+    end
+  end
+else
+  # Fallback to permissive policy when config is disabled
+  Rails.application.config.to_prepare do
+    Rails.application.config.content_security_policy do |policy|
+      policy.default_src '*', :data, :mediastream, :blob, :filesystem, :ws, :wss, :unsafe_eval, :unsafe_inline
+    end
+  end
+end

lib/three_scale/content_security_policy.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module ThreeScale
+  module ContentSecurityPolicy
+    class << self
+      def config
+        @config ||= Rails.configuration.three_scale.content_security_policy
+      end
+
+      def enabled?
+        config&.enabled == true
+      end
+
+      def policy_config
+        config&.policy&.to_h || {}
+      end
+
+      def report_only?
+        config&.report_only == true
+      end
+
+      def report_uri
+        config&.report_uri.presence
+      end
+
+      def nonce_enabled?
+        config&.nonce_generator == true
+      end
+
+      def nonce_directives
+        config&.nonce_directives&.map(&:to_s) || []
+      end
+    end
+  end
+end