diff options
| author | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-08-15 14:37:17 +0100 |
|---|---|---|
| committer | Matthew Somerville <matthew-github@dracos.co.uk> | 2016-08-16 18:39:35 +0100 |
| commit | 05f6e047cbce6dac05342659bd5f21ffcd88e833 (patch) | |
| tree | 6a0ac667fdcbe99d153f941dcd5b8efa387997cc | |
| parent | bef9203e2380df25372e3f8aa7c763a72ec4aa5a (diff) | |
[fixmystreet.com] Add Content-Security-Policy.
| -rw-r--r-- | perllib/FixMyStreet/App.pm | 3 | ||||
| -rw-r--r-- | perllib/FixMyStreet/Cobrand/FixMyStreet.pm | 7 | ||||
| -rw-r--r-- | templates/web/base/common_header_tags.html | 2 | ||||
| -rw-r--r-- | templates/web/base/maps/google.html | 2 | ||||
| -rw-r--r-- | templates/web/base/maps/wmts_config.html | 2 | ||||
| -rw-r--r-- | templates/web/fixmystreet.com/header_extra.html | 2 | ||||
| -rw-r--r-- | templates/web/fixmystreet.com/tracking_code.html | 4 |
7 files changed, 15 insertions, 7 deletions
diff --git a/perllib/FixMyStreet/App.pm b/perllib/FixMyStreet/App.pm index 3cbe1422f..4036e85ab 100644 --- a/perllib/FixMyStreet/App.pm +++ b/perllib/FixMyStreet/App.pm @@ -6,7 +6,6 @@ use Catalyst::Runtime 5.80; use FixMyStreet; use FixMyStreet::Cobrand; use Memcached; -use mySociety::Random qw(random_bytes); use FixMyStreet::Map; use FixMyStreet::Email; use Utils; @@ -161,6 +160,8 @@ sub setup_request { my $cobrand = $c->cobrand; + $cobrand->add_response_headers if $cobrand->can('add_response_headers'); + # append the cobrand templates to the include path $c->stash->{additional_template_paths} = $cobrand->path_to_web_templates; diff --git a/perllib/FixMyStreet/Cobrand/FixMyStreet.pm b/perllib/FixMyStreet/Cobrand/FixMyStreet.pm index b321a21c4..1fb822893 100644 --- a/perllib/FixMyStreet/Cobrand/FixMyStreet.pm +++ b/perllib/FixMyStreet/Cobrand/FixMyStreet.pm @@ -1,6 +1,8 @@ package FixMyStreet::Cobrand::FixMyStreet; use base 'FixMyStreet::Cobrand::UK'; +use mySociety::Random; + use constant COUNCIL_ID_BROMLEY => 2482; # Special extra @@ -17,6 +19,11 @@ sub path_to_email_templates { ]; } +sub add_response_headers { + my $self = shift; + my $csp_nonce = $self->{c}->stash->{csp_nonce} = unpack('h*', mySociety::Random::random_bytes(16, 1)); + $self->{c}->res->header('Content-Security-Policy', "script-src 'self' www.google-analytics.com www.googleadservices.com 'unsafe-inline' 'nonce-$csp_nonce'") +} # FixMyStreet should return all cobrands sub restriction { diff --git a/templates/web/base/common_header_tags.html b/templates/web/base/common_header_tags.html index 24d2f11e5..f34dea212 100644 --- a/templates/web/base/common_header_tags.html +++ b/templates/web/base/common_header_tags.html @@ -7,7 +7,7 @@ <!--[if (lt IE 9)]> <script src="[% version('/js/html5shiv.js') %]""></script> <![endif]--> -<script> +<script nonce="[% csp_nonce %]"> window.Modernizr=function(e,t,n){function r(e){p.cssText=e}function o(e,t){return typeof e===t}var a,i,c,l="2.8.3",s={},u=t.documentElement,d="modernizr",f=t.createElement(d),p=f.style,m=({}.toString,{}),h=[],y=h.slice,v=function(e,n,r,o){var a,i,c,l,s=t.createElement("div"),f=t.body,p=f||t.createElement("body");if(parseInt(r,10))for(;r--;)c=t.createElement("div"),c.id=o?o[r]:d+(r+1),s.appendChild(c);return a=["­",'<style id="s',d,'">',e,"</style>"].join(""),s.id=d,(f?s:p).innerHTML+=a,p.appendChild(s),f||(p.style.background="",p.style.overflow="hidden",l=u.style.overflow,u.style.overflow="hidden",u.appendChild(p)),i=n(s,e),f?s.parentNode.removeChild(s):(p.parentNode.removeChild(p),u.style.overflow=l),!!i},g=function(t){var n=e.matchMedia||e.msMatchMedia;if(n)return n(t)&&n(t).matches||!1;var r;return v("@media "+t+" { #"+d+" { position: absolute; } }",function(t){r="absolute"==(e.getComputedStyle?getComputedStyle(t,null):t.currentStyle).position}),r},b={}.hasOwnProperty;c=o(b,"undefined")||o(b.call,"undefined")?function(e,t){return t in e&&o(e.constructor.prototype[t],"undefined")}:function(e,t){return b.call(e,t)};for(var E in m)c(m,E)&&(i=E.toLowerCase(),s[i]=m[E](),h.push((s[i]?"":"no-")+i));return r(""),f=a=null,s._version=l,s.mq=g,s.testStyles=v,s}(this,this.document); var fixmystreet=fixmystreet||{}; (function(b){var a=b.documentElement;a.className=a.className.replace(/\bno-js\b/,"js");var c=-1<a.className.indexOf("iel8"),c=Modernizr.mq("(min-width: 48em)")||c?"desktop":"mobile";b=b.getElementById("js-meta-data");fixmystreet.page=b.getAttribute("data-page");fixmystreet.cobrand=b.getAttribute("data-cobrand");"mobile"==c&&(a.className+=" mobile","around"==fixmystreet.page&&(a.className+=" mobile-reporting-map only-map"))})(document); diff --git a/templates/web/base/maps/google.html b/templates/web/base/maps/google.html index 456e47bfd..eeb4c9837 100644 --- a/templates/web/base/maps/google.html +++ b/templates/web/base/maps/google.html @@ -12,7 +12,7 @@ [% END %] [% map_html = BLOCK %] -<script type="text/javascript"> +<script nonce="[% csp_nonce %]"> var fixmystreet = fixmystreet || {}; $.extend(fixmystreet, { 'area': [ [% map.area.join(',') %] ], diff --git a/templates/web/base/maps/wmts_config.html b/templates/web/base/maps/wmts_config.html index 333455605..0b80a055b 100644 --- a/templates/web/base/maps/wmts_config.html +++ b/templates/web/base/maps/wmts_config.html @@ -1,4 +1,4 @@ -<script type="text/javascript"> +<script nonce="[% csp_nonce %]"> var fixmystreet = window.fixmystreet || {}; fixmystreet.wmts_config = { 'map_projection': '[% map.map_projection %]', diff --git a/templates/web/fixmystreet.com/header_extra.html b/templates/web/fixmystreet.com/header_extra.html index 442a87e72..64a8ee44a 100644 --- a/templates/web/fixmystreet.com/header_extra.html +++ b/templates/web/fixmystreet.com/header_extra.html @@ -4,7 +4,7 @@ [%# We are conducting an A/B experiment %] [% IF c.config.BASE_URL == "https://www.fixmystreet.com" AND not admin %] <script src="//www.google-analytics.com/cx/api.js?experiment=ZwMlZkAhSbK_tP_QG64QrQ"></script> -<script> +<script nonce="[% csp_nonce %]"> var variation = cxApi.chooseVariation(), docElement = document.documentElement, className = docElement.className; diff --git a/templates/web/fixmystreet.com/tracking_code.html b/templates/web/fixmystreet.com/tracking_code.html index 7213055d0..419a01088 100644 --- a/templates/web/fixmystreet.com/tracking_code.html +++ b/templates/web/fixmystreet.com/tracking_code.html @@ -1,5 +1,5 @@ [% IF c.config.BASE_URL == "https://www.fixmystreet.com" %] -<script type="text/javascript"> +<script nonce="[% csp_nonce %]"> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) @@ -31,7 +31,7 @@ ga('send', 'pageview'); </script> [% IF created_report %] -<script type="text/javascript"> +<script nonce="[% csp_nonce %]"> var google_conversion_id = 1067468161; var google_conversion_language = "en"; var google_conversion_format = "3"; |