From 3c5475e84de14bfd8d36089cd8c277983aa7b54c Mon Sep 17 00:00:00 2001 From: Richard Towers Date: Fri, 6 Aug 2021 16:44:41 +0100 Subject: [PATCH] Add CKAN_DOMAIN to the CSP on previews Some organograms are hosted on ckan.publishing.service.gov.uk, instead of s3-eu-west-1.amazonaws.com. The previews for these organograms are currently broken because the content security policy prevents the JavaScript from dowloading the files from the CKAN domain. I confirmed that the CSP was the only issue by disabling CSP in my brower (using a plugin) and confirming that the broken previews worked correctly. Since the CSP already permits all of S3 eu-west-1 in the connect_src, adding CKAN to the CSP feels like a very small piece of extra security attack surface. And it should be a quick way to fix the bug where some organogram previews don't show up. I tried to add a test for this, but rails controller tests don't execute enough of the stack for the SecureHeaders gem to do its thing and set the CSP header. It might be possible to test with a feature test, but that feels like overkill. --- app/controllers/previews_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/previews_controller.rb b/app/controllers/previews_controller.rb index 47b2dab6..12463990 100644 --- a/app/controllers/previews_controller.rb +++ b/app/controllers/previews_controller.rb @@ -1,7 +1,7 @@ class PreviewsController < ApplicationController def show append_content_security_policy_directives( - connect_src: %w[s3-eu-west-1.amazonaws.com], + connect_src: ["s3-eu-west-1.amazonaws.com", ENV["CKAN_DOMAIN"]].compact, ) @dataset = Dataset.get_by_uuid(uuid: params[:dataset_uuid])