From 112eae6d8369f5fd7cbcc64db7e1e42866fb613d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Joan=20Lled=C3=B3?= Date: Tue, 2 Jul 2024 16:46:49 +0200 Subject: [PATCH] Enable `Content-Security-Policy` (#394) --- lib/3scale/backend/cors.rb | 13 +++-------- lib/3scale/backend/csp.rb | 31 +++++++++++++++++++++++++ lib/3scale/backend/headers/stringify.rb | 17 ++++++++++++++ lib/3scale/backend/listener.rb | 3 +++ 4 files changed, 54 insertions(+), 10 deletions(-) create mode 100644 lib/3scale/backend/csp.rb create mode 100644 lib/3scale/backend/headers/stringify.rb diff --git a/lib/3scale/backend/cors.rb b/lib/3scale/backend/cors.rb index 65a83f501..b006f427f 100644 --- a/lib/3scale/backend/cors.rb +++ b/lib/3scale/backend/cors.rb @@ -1,3 +1,5 @@ +require '3scale/backend/headers/stringify' + # CORS support # # Please see references: @@ -8,16 +10,7 @@ module ThreeScale module Backend module CORS - def self.stringify_consts(*consts) - consts.each do |k| - val = const_get k - val = val.respond_to?(:join) ? val.join(', ') : val.to_s - k_s = "#{k}_S".to_sym - const_set(k_s, val.freeze) - private_constant k_s - end - end - private_class_method :stringify_consts + extend Headers::Stringify MAX_AGE = 86400 private_constant :MAX_AGE diff --git a/lib/3scale/backend/csp.rb b/lib/3scale/backend/csp.rb new file mode 100644 index 000000000..443ca5cbb --- /dev/null +++ b/lib/3scale/backend/csp.rb @@ -0,0 +1,31 @@ +require '3scale/backend/headers/stringify' + +# CSP support +# +# Please see references: +# +# https://content-security-policy.com/ +# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources +module ThreeScale + module Backend + module CSP + extend Headers::Stringify + + CSP_VALUES = "default-src 'self'".freeze + private_constant :CSP_VALUES + + CSP_HEADERS = { + 'Content-Security-Policy'.freeze => CSP_VALUES + }.freeze + private_constant :CSP_HEADERS + + stringify_consts :CSP_VALUES, :CSP_HEADERS + + def self.headers + CSP_HEADERS + end + end + end +end diff --git a/lib/3scale/backend/headers/stringify.rb b/lib/3scale/backend/headers/stringify.rb new file mode 100644 index 000000000..2d3c94598 --- /dev/null +++ b/lib/3scale/backend/headers/stringify.rb @@ -0,0 +1,17 @@ +module ThreeScale + module Backend + module Headers + module Stringify + def stringify_consts(*consts) + consts.each do |k| + val = const_get k + val = val.respond_to?(:join) ? val.join(', ') : val.to_s + k_s = "#{k}_S".to_sym + const_set(k_s, val.freeze) + private_constant k_s + end + end + end + end + end +end diff --git a/lib/3scale/backend/listener.rb b/lib/3scale/backend/listener.rb index 1067e1479..c38ac8ff2 100644 --- a/lib/3scale/backend/listener.rb +++ b/lib/3scale/backend/listener.rb @@ -1,5 +1,6 @@ require '3scale/backend/version' require '3scale/backend/cors' +require '3scale/backend/csp' require 'json' module ThreeScale @@ -130,6 +131,8 @@ class Listener < Sinatra::Base content_type 'application/vnd.3scale-v2.0+xml'.freeze # enable CORS for all our endpoints response.headers.merge!(CORS.headers) + # enable CSP for all our endpoints + response.headers.merge!(CSP.headers) end # Enable CORS pre-flight request for all our endpoints